Amazon Linux AMI update for golang



Published: 2023-04-21
Risk High
Patch available YES
Number of vulnerabilities 13
CVE-ID CVE-2022-30580
CVE-2022-30634
CVE-2022-32189
CVE-2022-41717
CVE-2022-41722
CVE-2022-41723
CVE-2022-41724
CVE-2022-41725
CVE-2023-24532
CVE-2023-24534
CVE-2023-24536
CVE-2023-24537
CVE-2023-24538
CWE-ID CWE-94
CWE-835
CWE-20
CWE-770
CWE-22
CWE-400
CWE-399
CWE-682
Exploitation vector Network
Public exploit Public exploit code for vulnerability #4 is available.
Vulnerable software
Subscribe 		Amazon Linux AMI
Operating systems & Components / Operating system

golang
Operating systems & Components / Operating system package or component

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 13 vulnerabilities.

1) Code Injection

EUVDB-ID: #VU68839

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-30580

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Cmd.Start in os/exec allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Infinite loop

EUVDB-ID: #VU73870

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-30634

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in crypto/rand on Windows when handling buffer larger than 1 << 32 - 1 bytes. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU66121

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-32189

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in
Float.GobDecode. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Allocation of Resources Without Limits or Throttling

EUVDB-ID: #VU70334

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-41717

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Path traversal

EUVDB-ID: #VU73721

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41722

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the filepath.Clean() function on Windows, which can transform an invalid path such as "a/../c:/b" into the valid path "c:". As a result, an attacker can read arbitrary files on the system.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Resource exhaustion

EUVDB-ID: #VU72686

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41723

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the HPACK decoder. A remote attacker can send a specially crafted HTTP/2 stream to the application, cause resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Resource management error

EUVDB-ID: #VU72685

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41724

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources in crypto/tls when handling large TLS handshake records. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.

The vulnerability affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Resource exhaustion

EUVDB-ID: #VU73722

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41725

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper control over internal resources in net/http and mime/multipart. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Incorrect calculation

EUVDB-ID: #VU73264

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24532

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Resource exhaustion

EUVDB-ID: #VU74571

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24534

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Resource management error

EUVDB-ID: #VU74572

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24536

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within mime/multipart and net/textproto components when parsing multipart forms. A remote attacker can pass specially crafted request to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Infinite loop

EUVDB-ID: #VU74573

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24537

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when calling any of the Parse functions on Go source code which contains //line directives with very large line numbers. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Code Injection

EUVDB-ID: #VU74574

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24538

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in html/template when handling JavaScript templates that contain backticks in code. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary JavaScript code into the Go template.

Mitigation

Update the affected packages:

i686:
    golang-shared-1.18.6-1.43.amzn1.i686
    golang-1.18.6-1.43.amzn1.i686
    golang-bin-1.18.6-1.43.amzn1.i686

noarch:
    golang-docs-1.18.6-1.43.amzn1.noarch
    golang-tests-1.18.6-1.43.amzn1.noarch
    golang-src-1.18.6-1.43.amzn1.noarch
    golang-misc-1.18.6-1.43.amzn1.noarch

src:
    golang-1.18.6-1.43.amzn1.src

x86_64:
    golang-bin-1.18.6-1.43.amzn1.x86_64
    golang-race-1.18.6-1.43.amzn1.x86_64
    golang-shared-1.18.6-1.43.amzn1.x86_64
    golang-1.18.6-1.43.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.18.6-1.43

External links

http://alas.aws.amazon.com/ALAS-2023-1731.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###