FERRAMENTAS LINUX: Urgent Go 1.23 Security Patch: Critical Vulnerabilities Patched (CVE-2025-47906 & CVE-2025-47907)

terça-feira, 12 de agosto de 2025

Urgent Go 1.23 Security Patch: Critical Vulnerabilities Patched (CVE-2025-47906 & CVE-2025-47907)

 

SUSE


Critical Go 1.23 security update patches CVE-2025-47906 (path hijacking) & CVE-2025-47907 (data corruption). Install now on SUSE Linux, openSUSE, and SAP systems to prevent exploits. Patch commands included.


Why This Update Demands Immediate Attention

Two critical CVEs threaten Go 1.23 environments across SUSE’s enterprise ecosystem. Attackers could exploit these to:

  • Hijack execution paths (CVE-2025-47906, CVSS 4.0)

  • Corrupt database scan results (CVE-2025-47907, CVSS 7.0 NVD)
    With 30+ affected products—including SUSE Linux Enterprise ServerSAP Applications, and High-Performance Computing (HPC) clusters—delaying patching risks compliance breaches and system compromise.

🔍 Technical Vulnerability Analysis

CVE-2025-47906: Path Validation Failure

  • Threat: LookPath function returns unverified executable paths → privilege escalation.

  • CVSS 4.0: 2.1 (Low) | CVSS 3.1: 4.0 (Medium)

  • Exploitability: Local attack vector; no user interaction.

  • Patch Impact: Restricts path resolution to trusted directories.

CVE-2025-47907: Database Scan Corruption

  • Threat: Rows.Scan returns invalid data → application crashes/data leaks.

  • CVSS 4.0: 2.1 (Low) | CVSS 3.1: 7.0 (High, per NVD)

  • Exploitability: Remote attack via malicious queries.

  • Patch Impact: Fixes memory handling in database scanners.

💡 Security Note: While SUSE rates these moderate, NVD’s 7.0 score for CVE-2025-47907 indicates high risk for cloud-native applications.

 Affected Products & Patch Instructions

 Critical Systems Requiring Updates

  • SUSE Linux Enterprise Server (SP3-SP7, LTSS)

  • SUSE Linux Enterprise for SAP (SP3-SP7)

  • High-Performance Computing (HPC/ESPOS)

  • openSUSE Leap 15.6

  • Development Tools Module 15-SP6/SP7

Patch Deployment Commands

bash
# Example: SUSE Linux Enterprise Server 15 SP5 LTSS  
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-2759=1  

# SAP Applications 15 SP5:  
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-2759=1  

# Full command list: https://www.suse.com/support/update/

Validated Package Versions

Post-update, ensure these packages are installed:

ProductSecure Version
SUSE Enterprise Storage 7.1go1.23-1.23.12-150000.1.40.1
openSUSE Leap 15.6go1.23-1.23.12-150000.1.40.1
Development Tools Module 15-SP7go1.23-1.23.12-150000.1.40.1


 Verification Tip: Run zypper info go1.23 to confirm version 1.23.12.

Go Security Patch FAQ

Q1: Is this update relevant for Kubernetes clusters using Go?

A: Absolutely. Go underpins critical K8s components. Patch worker nodes immediately.


Q2: Why do CVSS scores vary between SUSE and NVD?

A: SUSE scores reflect their configurations; NVD assesses universal impact. Always prioritize higher scores.


Q3: Can these vulnerabilities cause data loss?

A: CVE-2025-47907’s memory corruption could crash databases. Schedule patches during maintenance windows.

 Additional Resources

  1. CVE-2025-47906 Details

  2. SUSE Bug #1247719

  3. Go 1.23 Release Notes

Cezar Henrique at
Marcadores: Linux, Android, Segurança ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)