Lucene search

K
amazonAmazonALAS-2023-1685
HistoryFeb 15, 2023 - 12:23 a.m.

Medium: golang

2023-02-1500:23:00
alas.aws.amazon.com
13

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.004 Low

EPSS

Percentile

72.1%

Issue Overview:

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. (CVE-2022-23772)

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. (CVE-2022-23773)

A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource. (CVE-2022-23806)

Affected Packages:

golang

Issue Correction:
Run yum update golang to update your system.

New Packages:

i686:  
    golang-bin-1.16.15-1.38.amzn1.i686  
    golang-shared-1.16.15-1.38.amzn1.i686  
    golang-1.16.15-1.38.amzn1.i686  
  
noarch:  
    golang-tests-1.16.15-1.38.amzn1.noarch  
    golang-src-1.16.15-1.38.amzn1.noarch  
    golang-docs-1.16.15-1.38.amzn1.noarch  
    golang-misc-1.16.15-1.38.amzn1.noarch  
  
src:  
    golang-1.16.15-1.38.amzn1.src  
  
x86_64:  
    golang-bin-1.16.15-1.38.amzn1.x86_64  
    golang-race-1.16.15-1.38.amzn1.x86_64  
    golang-shared-1.16.15-1.38.amzn1.x86_64  
    golang-1.16.15-1.38.amzn1.x86_64  

Additional References

Red Hat: CVE-2022-23772, CVE-2022-23773, CVE-2022-23806

Mitre: CVE-2022-23772, CVE-2022-23773, CVE-2022-23806

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.004 Low

EPSS

Percentile

72.1%