ALAS2-2022-1811


Amazon Linux 2 Security Advisory: ALAS2-2022-1811
Advisory Released Date: 2022-07-15
Advisory Updated Date: 2025-04-08
Severity: Important

Issue Overview:

An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with `xml.NewTokenDecoder` it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with `EOF` within it, causing the parsing application to endlessly loop, resulting in a Denial of Service (DoS). (CVE-2021-27918)

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. (CVE-2021-27919)

A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity. (CVE-2021-33195)

A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity. (CVE-2021-33197)

A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from this vulnerability is to system availability. (CVE-2021-33198)

A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability. (CVE-2021-36221)

A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity. (CVE-2021-38297)

A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw. (CVE-2021-39293)

An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. (CVE-2021-41771)

A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. (CVE-2021-41772)

There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources. (CVE-2021-44716)

There's a flaw in golang's syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec(). (CVE-2021-44717)

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. (CVE-2022-23772)

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. (CVE-2022-23773)

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large regexps with deep nesting to the application. Triggering this flaw leads to a crash of the runtime, which causes a denial of service. (CVE-2022-24921)


Affected Packages:

golang


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update golang to update your system.

New Packages:
aarch64:
    golang-1.16.15-1.amzn2.0.1.aarch64
    golang-bin-1.16.15-1.amzn2.0.1.aarch64
    golang-shared-1.16.15-1.amzn2.0.1.aarch64

noarch:
    golang-docs-1.16.15-1.amzn2.0.1.noarch
    golang-misc-1.16.15-1.amzn2.0.1.noarch
    golang-tests-1.16.15-1.amzn2.0.1.noarch
    golang-src-1.16.15-1.amzn2.0.1.noarch

src:
    golang-1.16.15-1.amzn2.0.1.src

x86_64:
    golang-1.16.15-1.amzn2.0.1.x86_64
    golang-bin-1.16.15-1.amzn2.0.1.x86_64
    golang-shared-1.16.15-1.amzn2.0.1.x86_64
    golang-race-1.16.15-1.amzn2.0.1.x86_64

Changelog:

2025-04-08: CVE-2021-27918 was added to this advisory.

2025-04-08: CVE-2021-33197 was added to this advisory.

2025-04-08: CVE-2021-36221 was added to this advisory.

2025-04-08: CVE-2021-27919 was added to this advisory.

2025-04-08: CVE-2021-33195 was added to this advisory.

2025-04-08: CVE-2021-33198 was added to this advisory.