SB2022071516 - Multiple vulnerabilities in Go programming language

Description

This security bulletin contains information about 2 vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2022-30634)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in crypto/rand on Windows when handling buffer larger than 1 << 32 - 1 bytes. A remote attacker can consume all available system resources and cause denial of service conditions.

2) Path traversal (CVE-ID: CVE-2022-29804)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error within the filepath.Clean function on Windows, which can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack. A remote attacker can pass specially crafted data to the application and perform directory traversal attacks.

Remediation

Install update from vendor's website.

References

• https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
• https://go.dev/cl/402257
• https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863
• https://go.dev/issue/52561
• https://pkg.go.dev/vuln/GO-2022-0477
• https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
• https://pkg.go.dev/vuln/GO-2022-0533
• https://go.dev/cl/401595
• https://go.dev/issue/52476