9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
78.3%
Issue Overview:
2024-01-03: CVE-2021-27919 was added to this advisory.
An out of bounds read vulnerability was found in golang. When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a Denial of Service (DoS). (CVE-2021-27919)
A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity. (CVE-2021-38297)
An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. (CVE-2021-41771)
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. (CVE-2021-41772)
There’s an uncontrolled resource consumption flaw in golang’s net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http’s http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources. (CVE-2021-44716)
There’s a flaw in golang’s syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec(). (CVE-2021-44717)
Affected Packages:
golang
Issue Correction:
Run yum update golang to update your system.
New Packages:
i686:
golang-shared-1.16.15-1.37.amzn1.i686
golang-1.16.15-1.37.amzn1.i686
golang-bin-1.16.15-1.37.amzn1.i686
noarch:
golang-docs-1.16.15-1.37.amzn1.noarch
golang-tests-1.16.15-1.37.amzn1.noarch
golang-misc-1.16.15-1.37.amzn1.noarch
golang-src-1.16.15-1.37.amzn1.noarch
src:
golang-1.16.15-1.37.amzn1.src
x86_64:
golang-bin-1.16.15-1.37.amzn1.x86_64
golang-1.16.15-1.37.amzn1.x86_64
golang-race-1.16.15-1.37.amzn1.x86_64
golang-shared-1.16.15-1.37.amzn1.x86_64
Red Hat: CVE-2021-27919, CVE-2021-38297, CVE-2021-41771, CVE-2021-41772, CVE-2021-44716, CVE-2021-44717
Mitre: CVE-2021-27919, CVE-2021-38297, CVE-2021-41771, CVE-2021-41772, CVE-2021-44716, CVE-2021-44717
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | golang-shared | < 1.16.15-1.37.amzn1 | golang-shared-1.16.15-1.37.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | golang | < 1.16.15-1.37.amzn1 | golang-1.16.15-1.37.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | golang-bin | < 1.16.15-1.37.amzn1 | golang-bin-1.16.15-1.37.amzn1.i686.rpm |
Amazon Linux | 1 | noarch | golang-docs | < 1.16.15-1.37.amzn1 | golang-docs-1.16.15-1.37.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | golang-tests | < 1.16.15-1.37.amzn1 | golang-tests-1.16.15-1.37.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | golang-misc | < 1.16.15-1.37.amzn1 | golang-misc-1.16.15-1.37.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | golang-src | < 1.16.15-1.37.amzn1 | golang-src-1.16.15-1.37.amzn1.noarch.rpm |
Amazon Linux | 1 | x86_64 | golang-bin | < 1.16.15-1.37.amzn1 | golang-bin-1.16.15-1.37.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | golang | < 1.16.15-1.37.amzn1 | golang-1.16.15-1.37.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | golang-race | < 1.16.15-1.37.amzn1 | golang-race-1.16.15-1.37.amzn1.x86_64.rpm |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
78.3%