Amazon Linux AMI update for golang

Published: 2022-04-29

Risk	High
Patch available	YES
Number of vulnerabilities	5
CVE-ID	CVE-2021-38297 CVE-2021-41771 CVE-2021-41772 CVE-2021-44716 CVE-2021-44717
CWE-ID	CWE-119 CWE-20 CWE-400
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Amazon Linux AMI Operating systems & Components / Operating system golang Operating systems & Components / Operating system package or component
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU57579

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-38297

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trigger memory corruption via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.16.15-1.37.amzn1.i686
    golang-1.16.15-1.37.amzn1.i686
    golang-bin-1.16.15-1.37.amzn1.i686

noarch:
    golang-docs-1.16.15-1.37.amzn1.noarch
    golang-tests-1.16.15-1.37.amzn1.noarch
    golang-misc-1.16.15-1.37.amzn1.noarch
    golang-src-1.16.15-1.37.amzn1.noarch

src:
    golang-1.16.15-1.37.amzn1.src

x86_64:
    golang-bin-1.16.15-1.37.amzn1.x86_64
    golang-1.16.15-1.37.amzn1.x86_64
    golang-race-1.16.15-1.37.amzn1.x86_64
    golang-shared-1.16.15-1.37.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.16.15-1.37

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

http://alas.aws.amazon.com/ALAS-2022-1583.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Buffer overflow

EUVDB-ID: #VU65080

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-41771

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists in debug/macho of the Go standard library when using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat. A remote attacker can send a specially crafted file to perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.16.15-1.37.amzn1.i686
    golang-1.16.15-1.37.amzn1.i686
    golang-bin-1.16.15-1.37.amzn1.i686

noarch:
    golang-docs-1.16.15-1.37.amzn1.noarch
    golang-tests-1.16.15-1.37.amzn1.noarch
    golang-misc-1.16.15-1.37.amzn1.noarch
    golang-src-1.16.15-1.37.amzn1.noarch

src:
    golang-1.16.15-1.37.amzn1.src

x86_64:
    golang-bin-1.16.15-1.37.amzn1.x86_64
    golang-1.16.15-1.37.amzn1.x86_64
    golang-race-1.16.15-1.37.amzn1.x86_64
    golang-shared-1.16.15-1.37.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.16.15-1.37

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

http://alas.aws.amazon.com/ALAS-2022-1583.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Input validation error

EUVDB-ID: #VU66120

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-41772

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in archive/zip Reader.Open. A remote attacker can pass specially crafted ZIP archive containing an invalid name or an empty filename field to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.16.15-1.37.amzn1.i686
    golang-1.16.15-1.37.amzn1.i686
    golang-bin-1.16.15-1.37.amzn1.i686

noarch:
    golang-docs-1.16.15-1.37.amzn1.noarch
    golang-tests-1.16.15-1.37.amzn1.noarch
    golang-misc-1.16.15-1.37.amzn1.noarch
    golang-src-1.16.15-1.37.amzn1.noarch

src:
    golang-1.16.15-1.37.amzn1.src

x86_64:
    golang-bin-1.16.15-1.37.amzn1.x86_64
    golang-1.16.15-1.37.amzn1.x86_64
    golang-race-1.16.15-1.37.amzn1.x86_64
    golang-shared-1.16.15-1.37.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.16.15-1.37

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

http://alas.aws.amazon.com/ALAS-2022-1583.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Input validation error

EUVDB-ID: #VU58824

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-44716

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.16.15-1.37.amzn1.i686
    golang-1.16.15-1.37.amzn1.i686
    golang-bin-1.16.15-1.37.amzn1.i686

noarch:
    golang-docs-1.16.15-1.37.amzn1.noarch
    golang-tests-1.16.15-1.37.amzn1.noarch
    golang-misc-1.16.15-1.37.amzn1.noarch
    golang-src-1.16.15-1.37.amzn1.noarch

src:
    golang-1.16.15-1.37.amzn1.src

x86_64:
    golang-bin-1.16.15-1.37.amzn1.x86_64
    golang-1.16.15-1.37.amzn1.x86_64
    golang-race-1.16.15-1.37.amzn1.x86_64
    golang-shared-1.16.15-1.37.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.16.15-1.37

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

http://alas.aws.amazon.com/ALAS-2022-1583.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Resource exhaustion

EUVDB-ID: #VU59042

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-44717

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 requests. A remote attacker can send multiple HTTP/2 requests to the server and exhaust all available memory resources.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.16.15-1.37.amzn1.i686
    golang-1.16.15-1.37.amzn1.i686
    golang-bin-1.16.15-1.37.amzn1.i686

noarch:
    golang-docs-1.16.15-1.37.amzn1.noarch
    golang-tests-1.16.15-1.37.amzn1.noarch
    golang-misc-1.16.15-1.37.amzn1.noarch
    golang-src-1.16.15-1.37.amzn1.noarch

src:
    golang-1.16.15-1.37.amzn1.src

x86_64:
    golang-bin-1.16.15-1.37.amzn1.x86_64
    golang-1.16.15-1.37.amzn1.x86_64
    golang-race-1.16.15-1.37.amzn1.x86_64
    golang-shared-1.16.15-1.37.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.16.15-1.37

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

http://alas.aws.amazon.com/ALAS-2022-1583.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?