7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
8.1 High
AI Score
Confidence
High
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.017 Low
EPSS
Percentile
87.7%
Issue Overview:
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. (CVE-2021-3114)
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the “go get” command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). (CVE-2021-3115)
Affected Packages:
golang
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update golang to update your system.
New Packages:
aarch64:
golang-1.15.8-1.amzn2.0.1.aarch64
golang-bin-1.15.8-1.amzn2.0.1.aarch64
noarch:
golang-docs-1.15.8-1.amzn2.0.1.noarch
golang-misc-1.15.8-1.amzn2.0.1.noarch
golang-tests-1.15.8-1.amzn2.0.1.noarch
golang-src-1.15.8-1.amzn2.0.1.noarch
src:
golang-1.15.8-1.amzn2.0.1.src
x86_64:
golang-1.15.8-1.amzn2.0.1.x86_64
golang-bin-1.15.8-1.amzn2.0.1.x86_64
golang-race-1.15.8-1.amzn2.0.1.x86_64
Red Hat: CVE-2021-3114, CVE-2021-3115
Mitre: CVE-2021-3114, CVE-2021-3115
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | golang | < 1.15.8-1.amzn2.0.1 | golang-1.15.8-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | golang-bin | < 1.15.8-1.amzn2.0.1 | golang-bin-1.15.8-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | noarch | golang-docs | < 1.15.8-1.amzn2.0.1 | golang-docs-1.15.8-1.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | golang-misc | < 1.15.8-1.amzn2.0.1 | golang-misc-1.15.8-1.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | golang-tests | < 1.15.8-1.amzn2.0.1 | golang-tests-1.15.8-1.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | golang-src | < 1.15.8-1.amzn2.0.1 | golang-src-1.15.8-1.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | x86_64 | golang | < 1.15.8-1.amzn2.0.1 | golang-1.15.8-1.amzn2.0.1.x86_64.rpm |
Amazon Linux | 2 | x86_64 | golang-bin | < 1.15.8-1.amzn2.0.1 | golang-bin-1.15.8-1.amzn2.0.1.x86_64.rpm |
Amazon Linux | 2 | x86_64 | golang-race | < 1.15.8-1.amzn2.0.1 | golang-race-1.15.8-1.amzn2.0.1.x86_64.rpm |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
8.1 High
AI Score
Confidence
High
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.017 Low
EPSS
Percentile
87.7%