Amazon Linux AMI update for golang



Risk High
Patch available YES
Number of vulnerabilities 15
CVE-ID CVE-2022-23772
CVE-2022-23773
CVE-2022-23806
CVE-2022-2880
CVE-2022-30580
CVE-2022-30634
CVE-2022-41717
CVE-2022-41722
CVE-2022-41724
CVE-2022-41725
CVE-2023-24532
CVE-2023-24534
CVE-2023-24536
CVE-2023-24537
CVE-2023-24538
CWE-ID CWE-400
CWE-863
CWE-252
CWE-20
CWE-94
CWE-835
CWE-770
CWE-22
CWE-399
CWE-682
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #7 is available.
Vulnerable software
Amazon Linux AMI
Operating systems & Components / Operating system

golang
Operating systems & Components / Operating system package or component

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 15 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU62038

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23772

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the Rat.SetString(0 function in math/big. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Incorrect authorization

EUVDB-ID: #VU62037

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-23773

CWE-ID: CWE-863 - Incorrect Authorization

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists within cmd/go, which can misinterpret branch names that falsely appear to be version tags. This can lead to  a situation where an attacker can bypass implemented security restrictions and perform restricted actions, e.g. create tags when access was granted to create branches only.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Unchecked Return Value

EUVDB-ID: #VU62036

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23806

CWE-ID: CWE-252 - Unchecked Return Value

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to unchecked return value within the Curve.IsOnCurve() function in crypto/elliptic. A remote attacker can force the application to incorrectly return true in situations with a big.Int value that is not a valid field element. As a result, an attacker can modify application flow, which can lead to unauthorized data modification or denial of service.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU68389

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2880

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform parameter smuggling attacks.

The vulnerability exists due to incorrect handling of requests forwarded by ReverseProxy in net/http/httputil. A remote attacker can supply specially crafted parameters that cannot be parsed and are rejected by net/http and force the application to include these parameters into the forwarding request. As a result, a remote attacker can smuggle potentially dangerous HTTP parameters into the request.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Code Injection

EUVDB-ID: #VU68839

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-30580

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Cmd.Start in os/exec allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Infinite loop

EUVDB-ID: #VU73870

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-30634

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in crypto/rand on Windows when handling buffer larger than 1 << 32 - 1 bytes. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Allocation of Resources Without Limits or Throttling

EUVDB-ID: #VU70334

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-41717

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Path traversal

EUVDB-ID: #VU73721

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41722

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the filepath.Clean() function on Windows, which can transform an invalid path such as "a/../c:/b" into the valid path "c:". As a result, an attacker can read arbitrary files on the system.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Resource management error

EUVDB-ID: #VU72685

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41724

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources in crypto/tls when handling large TLS handshake records. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.

The vulnerability affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Resource exhaustion

EUVDB-ID: #VU73722

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41725

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper control over internal resources in net/http and mime/multipart. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Incorrect calculation

EUVDB-ID: #VU73264

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24532

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Resource exhaustion

EUVDB-ID: #VU74571

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24534

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Resource management error

EUVDB-ID: #VU74572

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24536

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within mime/multipart and net/textproto components when parsing multipart forms. A remote attacker can pass specially crafted request to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Infinite loop

EUVDB-ID: #VU74573

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24537

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when calling any of the Parse functions on Go source code which contains //line directives with very large line numbers. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Code Injection

EUVDB-ID: #VU74574

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24538

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in html/template when handling JavaScript templates that contain backticks in code. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary JavaScript code into the Go template.

Mitigation

Update the affected packages:

aarch64:
    golang-1.19.8-1.amzn2023.0.1.aarch64
    golang-bin-1.19.8-1.amzn2023.0.1.aarch64
    golang-shared-1.19.8-1.amzn2023.0.1.aarch64

noarch:
    golang-docs-1.19.8-1.amzn2023.0.1.noarch
    golang-misc-1.19.8-1.amzn2023.0.1.noarch
    golang-src-1.19.8-1.amzn2023.0.1.noarch
    golang-tests-1.19.8-1.amzn2023.0.1.noarch

src:
    golang-1.19.8-1.amzn2023.0.1.src

x86_64:
    golang-1.19.8-1.amzn2023.0.1.x86_64
    golang-race-1.19.8-1.amzn2023.0.1.x86_64
    golang-bin-1.19.8-1.amzn2023.0.1.x86_64
    golang-shared-1.19.8-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

golang: before 1.19.8-1

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-175.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###