SB2021070405 - Multiple vulnerabilities in Go programming language
Published: July 4, 2021 Updated: October 19, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2021-33196)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing archives. A remote attacker can pass a specially crafted .zip file to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Cross-site scripting (CVE-ID: CVE-2021-33195)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of data passed from DNS lookups. A remote attacker can send a specially crafted DNS reqponse and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Missing Authorization (CVE-ID: CVE-2021-33197)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to an error in some configurations of ReverseProxy (from net/http/httputil). A remote attacker can drop arbitrary headers and bypass authorization process.
4) Resource management error (CVE-ID: CVE-2021-33198)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling a large exponent to the math/big.Rat SetString or UnmarshalText method. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1965503
- https://github.com/golang/go/issues/46242
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912
- https://go-review.googlesource.com/c/go/+/322949/
- https://go-review.googlesource.com/c/go/+/322909/
- https://go-review.googlesource.com/c/go/+/318909/
- https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- https://groups.google.com/g/golang-announce