CVE-2021-38297
📋 TL;DR
This vulnerability allows buffer overflow attacks when Go programs compile WebAssembly (WASM) modules with GOARCH=wasm and GOOS=js. Attackers can exploit this by passing large arguments to functions, potentially leading to remote code execution. Affected users are those running Go applications that compile or execute WASM modules in vulnerable Go versions.
💻 Affected Systems
- Go programming language
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Go by Golang
Go by Golang
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Application crashes (denial of service) or memory corruption leading to unstable behavior.
If Mitigated
Limited impact if WASM compilation is disabled or proper input validation exists.
🎯 Exploit Status
Exploitation requires crafting malicious WASM modules with large function arguments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.16.9 or Go 1.17.2
Vendor Advisory: https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
Restart Required: Yes
Instructions:
1. Identify Go version with 'go version'. 2. If vulnerable, download patched version from golang.org. 3. Install new version. 4. Recompile all Go applications. 5. Restart services using Go.
🔧 Temporary Workarounds
Disable WASM compilation
allPrevent compilation or execution of WebAssembly modules in Go applications.
Modify build flags to exclude GOARCH=wasm GOOS=js
🧯 If You Can't Patch
- Isolate applications using vulnerable Go versions in restricted network segments.
- Implement strict input validation and size limits for WASM module arguments.
🔍 How to Verify
Check if Vulnerable:
Run 'go version' and check if version is before 1.16.9 or 1.17.x before 1.17.2.Check Version:
go versionVerify Fix Applied:
After patching, run 'go version' to confirm version is 1.16.9+ or 1.17.2+. Test WASM compilation functionality.📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violations
- Unusual WASM compilation attempts with large payloads
Network Indicators:
- Unexpected network traffic to/from Go applications using WASM
SIEM Query:
source="application.logs" AND ("panic" OR "segmentation fault") AND "wasm"🔗 References
- https://groups.google.com/forum/#%21forum/golang-announce
- https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
- https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20211118-0006/
- https://groups.google.com/forum/#%21forum/golang-announce
- https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
- https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20211118-0006/
