CVE-2021-38297: Buffer Overflow
First published: Thu Oct 07 2021(Updated: )
A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAssembly) Modules. Go can be compiled to WASM. If the product or service doesn't use WASM functions, it is not affected, although it uses golang.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift-serverless-clients | <0:0.26.0-2.el8 | 0:0.26.0-2.el8 |
| Golang Go | <1.16.9 | |
| Golang Go | >=1.17.0<1.17.2 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
| IBM QRadar Suite Software | <=1.10.12.0 - 1.10.16.0 |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-38297 https://nvd.nist.gov/vuln/detail/CVE-2021-38297 https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
- https://bugzilla.redhat.com/show_bug.cgi?id=2012887
- https://access.redhat.com/errata/RHSA-2022:0434
- https://access.redhat.com/errata/RHSA-2022:0432
- https://access.redhat.com/errata/RHSA-2022:1819
- https://access.redhat.com/security/cve/cve-2021-38297
- https://groups.google.com/forum/#!forum/golang-announce
- https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
- https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20211118-0006/
- https://golang.org/wiki/WebAssembly#getting-started
- https://github.com/golang/go/issues/48797
- https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564
- https://github.com/golang/go/commit/4925e0766f8a92ab82913b3564228645613290f5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2014920
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2014923
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2014921
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2118476
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2118477
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2118478
- https://exchange.xforce.ibmcloud.com/vulnerabilities/211507
- https://www.ibm.com/support/pages/node/7080058 (Advisory)
- https://groups.google.com/forum/#%21forum/golang-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-38297?
CVE-2021-38297 is a vulnerability in Go before version 1.16.9 and 1.17.x before version 1.17.2 that allows a buffer overflow via large arguments in a function.
How does this vulnerability affect golang?
This vulnerability affects golang when invoking functions from vulnerable WASM (WebAssembly) modules. If the product or service does not use WASM functions, it is not affected.
What is the severity of CVE-2021-38297?
CVE-2021-38297 has a severity rating of critical with a value of 9.
What is the remedy for CVE-2021-38297?
The remedy for CVE-2021-38297 is to update to version 1.16.9 or 1.17.2 of golang.
Where can I find more information about CVE-2021-38297?
You can find more information about CVE-2021-38297 in the provided references: [CVE.org](https://www.cve.org/CVERecord?id=CVE-2021-38297), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-38297), [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2012887), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2022:0434).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/author
- agent/weakness
- agent/references
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-38297
- agent/software-canonical-lookup
- agent/event
- collector/ibm-support
- source/IBM
- agent/tags
- agent/description
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/golang
- canonical/golang go
- version/golang go/1.17.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/ibm
- canonical/ibm cloud pak for security
- version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
- canonical/ibm qradar suite software
- version/ibm qradar suite software/1.10.12.0 - 1.10.16.0