#VU57579 Buffer overflow in Go programming language - CVE-2021-38297

Cybersecurity Help s.r.o.

Published: 2021-10-21 | Updated: 2024-01-28

Vulnerability identifier: #VU57579

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2021-38297

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trigger memory corruption via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Go programming language: 1.16 - 1.17.1

External links
https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
https://groups.google.com/forum/#!forum/golang-announce

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Amazon Linux AMI update for golang

Multiple vulnerabilities in IBM QRadar Suite software

Splunk Enterprise update for third-party packages

Multiple vulnerabilities in Dell PowerProtect Cyber Recovery

SUSE update for google-guest-agent

SUSE update for google-osconfig-agent

SUSE update for google-guest-agent

Multiple vulnerabilities in Netcool Operations Insight

Fedora EPEL 7 update for git-lfs