#VU65080 Buffer overflow in Go programming language


Published: 2022-07-11

Vulnerability identifier: #VU65080

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41771

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists in debug/macho of the Go standard library when using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat. A remote attacker can send a specially crafted file to perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.16.0 - 1.16.9, 1.17 - 1.17.2

External links
http://groups.google.com/g/golang-announce/c/0fM21h43arc
http://security.netapp.com/advisory/ntap-20211210-0003/
http://bugzilla.redhat.com/show_bug.cgi?id=2020725

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar Suite software
Splunk Enterprise update for third-party packages
Multiple vulnerabilities in Dell PowerProtect Cyber Recovery
Multiple vulnerabilities in Siemens Brownfield Connectivity Gateway
Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak
Gentoo update for Go
Multiple vulnerabilities in IBM MQ Operator
Amazon Linux AMI update for golang
SUSE update for go1.16