QID 354041

Date Published: 2022-08-10

QID 354041: Amazon Linux Security Advisory for golang : ALAS2-2022-1830

a null pointer dereference vulnerability was found in golang.
When using the librarys ssh server without specifying an option for gssapiwithmicconfig, it is possible for an attacker to craft an ssh client connection using the authentication method and cause the server to panic resulting in a denial of service.
The highest threat from this vulnerability is to system availability. (
( CVE-2020-29652) an infinite loop vulnerability was found in golang.
If an application defines a custom token parser initializing with `xml.
Newtokendecoder` it is possible for the parsing loop to never return.
An attacker could potentially craft a malicious xml document which has an xml element with `eof` within it, causing the parsing application to endlessly loop, resulting in a denial of service (dos). (
( CVE-2021-27918) an out of bounds read vulnerability was found in golang.
When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime.
A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a denial of service (dos). (
( CVE-2021-27919) a flaw was found in go.
The lookupcname, lookupsrv, lookupmx, lookupns, and lookupaddr functions in the net package and methods on the resolver type, may return arbitrary values retrieved from dns, allowing injection of unexpected contents.
The highest threat from this vulnerability is to integrity. (
This flaw allows an attacker to drop arbitrary headers.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as High - 7.5 severity.

Solution

Please refer to Amazon advisory: ALAS2-2022-1830 for affected packages and patching details, or update with your package manager.

Vendor References

ALAS2-2022-1830 - alas.aws.amazon.com/AL2/ALAS-2022-1830.html

CVEs related to QID 354041

CVE-2021-38297 | CVE-2022-23773 | CVE-2021-27919 | CVE-2021-27918 | CVE-2021-33198 | CVE-2021-39293 | CVE-2022-23806 | CVE-2022-24921 | CVE-2021-36221 | CVE-2021-33197 | CVE-2020-29652 | CVE-2021-33195 | CVE-2022-23772 | CVE-2022-28327 | CVE-2022-24675 |

Software Advisories

Advisory ID	Software	Component	Link
ALAS2-2022-1830	Amazon Linux 2		alas.aws.amazon.com/AL2/ALAS-2022-1830.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].