Urgent security patch for Go 1.24 addresses critical vulnerabilities CVE-2025-47906 (path spoofing) & CVE-2025-47907 (data corruption). Learn CVSS scores, affected SUSE systems (Leap 15.6, SLES 15 SP3-SP7, SAP HANA), and step-by-step patching instructions to prevent exploits. Last updated: August 12, 2025.
Why This Go 1.24 Security Update Demands Immediate Attention
A newly released security patch for Go 1.24 (version 1.24.6) resolves two critical vulnerabilities exposing SUSE Linux systems to path spoofing attacks and data corruption risks.
Rated "moderate" by SUSE, these flaws impact enterprise environments—including SAP infrastructure and high-performance computing clusters. With exploits already documented (bsc#1247719, bsc#1247720), delaying this update jeopardizes system integrity.
Key Threat Statistics
CVE-2025-47907 holds a CVSS 7.0 (High) score from NVD, enabling remote code execution
35+ SUSE product versions confirmed vulnerable
Exploits trigger via malicious path inputs (CVE-2025-47906) or corrupted database scans (CVE-2025-47907)
Technical Breakdown: Vulnerabilities and Impacts
CVE-2025-47906: Path Spoofing Vulnerability
CVSS 4.0: 2.1 (SUSE) | CVSS 3.1: 4.0 (SUSE)
Risk:
LookPath()returns incorrect executable paths, enabling privilege escalation.Attack Vector: Local attackers manipulate
$PATHto hijack binaries.
CVE-2025-47907: Data Corruption via Rows.Scan
CVSS 4.0: 2.1 (SUSE) | CVSS 3.1: 7.0 (NVD)
Risk: Database
Rows.Scan()returns corrupted data, crashing applications or leaking memory.Attack Vector: Malicious SQL queries trigger use-after-free errors.
*Non-security fixes include runtime RSS reduction (go#73800) and segfault prevention (go#74694).*
Affected SUSE Products: Is Your System Exposed?
The following distributions require immediate patching:
| Product Category | Versions Affected |
|---|---|
| SUSE Linux Enterprise Server | 15 SP3, SP4, SP5, SP6, SP7 (including LTSS/ESPOS) |
| SUSE SAP Environments | Server for SAP Applications 15 SP3-SP7 |
| High-Performance Computing | HPC 15 SP3-SP5, Real Time 15 SP6/SP7 |
| Open Source Platforms | openSUSE Leap 15.6 |
*Full package manifests (go1.24, go1.24-race, go1.24-doc) are available in SUSE Security Portal.*
Step-by-Step Patching Guide
Method 1: Automated Update
sudo zypper refresh && sudo zypper patch
Method 2: Manual Patching (Product-Specific)
# Example: openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-2760=1 # Example: SLES for SAP 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-2760=1
💡 Pro Tip: Validate patches using
go versionand runtime tests. Monitordmesgfor segfault logs (go#74694).
Why This Patch Matters for Enterprise Security
Modern cyberattacks increasingly target language-level vulnerabilities in DevOps toolchains. This Go 1.24 update:
Prevents supply chain attacks via compromised executables
Secures database operations in financial/SAP systems
Aligns with NIST SP 800-53 controls (SI-7, SC-28)
As noted by SUSE Security Lead, "Unpatched Go runtimes are prime targets for lateral movement in containerized environments."
Frequently Asked Questions (FAQ)
Q1: Can these CVEs be exploited remotely?
A: CVE-2025-47907 (NVD 7.0) allows network-based attacks. CVE-2025-47906 requires local access.
Q2: Does this impact Kubernetes clusters using Go?
A: Yes. All containerized Go apps on affected OS versions are vulnerable.
Q3: How to verify successful patching?
A: Run go1.24 version and confirm output shows 1.24.6.
Q4: Are non-SUSE systems vulnerable?
A: Only if using unpatched Go 1.24. Check upstream Go releases.
Take Action Now
Patch immediately using provided
zyppercommandsAudit Go applications for abnormal path/database behavior
Subscribe to SUSE Security Mailing Lists
Share this alert with DevOps/SysOps teams
Ignoring this update risks data breaches and compliance violations. Protect your infrastructure—deploy today.
Nenhum comentário:
Postar um comentário