ALAS2-2023-2015

Amazon Linux 2 Security Advisory: ALAS2-2023-2015
Advisory Released Date: 2023-04-20
Advisory Updated Date: 2025-09-23

Severity: Important

References: CVE-2022-2880 CVE-2022-30580 CVE-2022-30634 CVE-2022-41722 CVE-2022-41723
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. (CVE-2022-30580)

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. (CVE-2022-30634)

The Go project has described this issue as follows:

"On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b." (CVE-2022-41722)

http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)

Affected Packages:

golang

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update golang or yum update --advisory ALAS2-2023-2015 to update your system.

New Packages:

aarch64:
    golang-1.18.9-1.amzn2.0.2.aarch64
    golang-bin-1.18.9-1.amzn2.0.2.aarch64
    golang-shared-1.18.9-1.amzn2.0.2.aarch64

noarch:
    golang-docs-1.18.9-1.amzn2.0.2.noarch
    golang-misc-1.18.9-1.amzn2.0.2.noarch
    golang-tests-1.18.9-1.amzn2.0.2.noarch
    golang-src-1.18.9-1.amzn2.0.2.noarch

src:
    golang-1.18.9-1.amzn2.0.2.src

x86_64:
    golang-1.18.9-1.amzn2.0.2.x86_64
    golang-bin-1.18.9-1.amzn2.0.2.x86_64
    golang-shared-1.18.9-1.amzn2.0.2.x86_64
    golang-race-1.18.9-1.amzn2.0.2.x86_64

Changelog:

2025-09-23: CVE-2022-41724 was removed from this advisory.

2025-09-23: CVE-2022-41725 was removed from this advisory.

2025-09-23: CVE-2023-24532 was removed from this advisory.

2025-09-23: CVE-2023-24534 was removed from this advisory.

2025-09-23: CVE-2023-24536 was removed from this advisory.

2025-09-23: CVE-2023-24537 was removed from this advisory.

2025-09-23: CVE-2023-24538 was removed from this advisory.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2022-2880, CVE-2022-30580, CVE-2022-30634, CVE-2022-41722, CVE-2022-41723

Mitre: CVE-2022-2880, CVE-2022-30580, CVE-2022-30634, CVE-2022-41722, CVE-2022-41723