QID 981200

QID 981200: Go (go) Security Update for github.com/ethereum/go-ethereum (GHSA-9856-9gg9-qcmq)

A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different `stateRoot` when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.

All Geth versions supporting the London hard fork are vulnerable (which predates London), so all users should update.

This bug was exploited on Mainnet at block 13107518, leading to a minority chain split.

A vulnerability in the Geth EVM could cause a node to reject the canonical chain.

CVSS V3 rated as High - 7.5 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

A patch is included in the `v1.10.8` release.
The exact patch to fix the issue is contained within this [commit](https://github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f)Workaround:
No workarounds exist, save to update and/or apply the patch commit.

Vendor References

GHSA-9856-9gg9-qcmq - github.com/advisories/GHSA-9856-9gg9-qcmq

CVEs related to QID 981200

CVE-2021-39137 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-9856-9gg9-qcmq	github.com/ethereum/go-ethereum		github.com/advisories/GHSA-9856-9gg9-qcmq

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].