CVE-2021-33196 – This vulnerability in Go's archive/zip package ... (How to Fix)

Q: How do I fix CVE-2021-33196?

1. Update Go installation to version 1.15.13 or 1.16.5 or later. 2. Recompile all Go applications with the updated Go version. 3. Redeploy updated applications. 4. Restart services using the patched applications.

Q: What is the severity of CVE-2021-33196?

CVE-2021-33196 has a CVSS score of 7.5 (HIGH). This vulnerability in Go's archive/zip package allows attackers to cause denial-of-service by triggering a panic when processing specially crafted ZIP archives with manipulated file counts. It affects applications using Go's standard library zip functionality before versions 1.15.13 or 1.16.5. Any service that processes untrusted ZIP files could be impacted.

📋 TL;DR

This vulnerability in Go's archive/zip package allows attackers to cause denial-of-service by triggering a panic when processing specially crafted ZIP archives with manipulated file counts. It affects applications using Go's standard library zip functionality before versions 1.15.13 or 1.16.5. Any service that processes untrusted ZIP files could be impacted.

💻 Affected Systems

Products:

Go programming language
Applications using Go's archive/zip package

Versions: Go versions < 1.15.13 and 1.16.x < 1.16.5

Operating Systems: All platforms where Go applications run

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the archive/zip package to process ZIP files. Applications not using this functionality are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service crash and denial-of-service, potentially disrupting critical business functions if the application doesn't properly recover from panics.

🟠

Likely Case

Service interruption and downtime for applications processing malicious ZIP files, requiring manual restart and potentially losing in-flight transactions.

🟢

If Mitigated

Minimal impact if applications have proper panic recovery mechanisms and monitoring to detect and restart crashed services.

🌐 Internet-Facing: HIGH if the application accepts ZIP uploads from untrusted sources via web interfaces, APIs, or file processing services.

🏢 Internal Only: MEDIUM for internal systems that process ZIP files from potentially compromised internal sources or user uploads.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only crafting a malicious ZIP file with manipulated header fields. No authentication or special privileges needed if the application processes ZIP files from untrusted sources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.15.13 or 1.16.5

Vendor Advisory: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI

Restart Required: Yes

Instructions:

1. Update Go installation to version 1.15.13 or 1.16.5 or later. 2. Recompile all Go applications with the updated Go version. 3. Redeploy updated applications. 4. Restart services using the patched applications.

🔧 Temporary Workarounds

Input validation for ZIP files

all

Implement strict validation of ZIP file headers before processing, rejecting files with suspicious file counts or malformed headers.

Panic recovery middleware

all

Add panic recovery handlers in Go applications to catch and log panics without crashing the entire service.

🧯 If You Can't Patch

Implement strict file upload restrictions and validation for ZIP files at network boundaries
Deploy applications in containers with automatic restart policies to minimize downtime from crashes

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version' command. If output shows version < 1.15.13 or between 1.16.0 and 1.16.4, the system is vulnerable.

Check Version:

go version

Verify Fix Applied:

After updating, run 'go version' to confirm version is 1.15.13, 1.16.5, or later. Test with known malicious ZIP files to ensure no panic occurs.

📡 Detection & Monitoring

Log Indicators:

Application panic logs mentioning 'archive/zip'
Unexpected service restarts after file processing
Error logs containing 'panic:' or 'runtime error:'

Network Indicators:

Unusual patterns of ZIP file uploads followed by service unavailability
Failed file processing requests

SIEM Query:

source="application.logs" AND ("panic" OR "runtime error") AND "archive/zip"

📊 Metadata

CVE ID: CVE-2021-33196

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: August 2, 2021

Last Updated: November 21, 2024

🔗 References

https://groups.google.com/g/golang-announce Third Party Advisory
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI Exploit,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://security.gentoo.org/glsa/202208-02 Third Party Advisory
https://groups.google.com/g/golang-announce Third Party Advisory
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI Exploit,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://security.gentoo.org/glsa/202208-02 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33196, you might also want to check these: