https://groups.google.com/g/golang-announce/c/JvWG9FUUYT0

https://groups.google.com/forum/#!forum/golang-announce

https://groups.google.com/g/golang-announce/c/uHACNfXAZqk

FEDORA-2021-38b51d9fd3

FEDORA-2021-6a3024b3fd

FEDORA-2021-e71b05ba7b

The version of golang installed on the remote host is prior to 1.15.15-1.71. It is, therefore, affected by a vulnerability as referenced in the ALAS-2021-1538 advisory.

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the go package has been released.

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1207-1 advisory.

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1199-1 advisory.

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:2787-1 advisory.

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:2788-1 advisory.

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:2787-1 advisory.

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:2788-1 advisory.

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Go project reports :

A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition.

ID	Name	Product	Family	Severity
153859	Amazon Linux AMI : golang (ALAS-2021-1538)	Nessus	Amazon Linux Local Security Checks	medium
153045	Photon OS 3.0: Go PHSA-2021-3.0-0294	Nessus	PhotonOS Local Security Checks	high
152895	openSUSE 15 Security Update : go1.15 (openSUSE-SU-2021:1207-1)	Nessus	SuSE Local Security Checks	medium
152844	openSUSE 15 Security Update : go1.16 (openSUSE-SU-2021:1199-1)	Nessus	SuSE Local Security Checks	medium
152733	openSUSE 15 Security Update : go1.15 (openSUSE-SU-2021:2787-1)	Nessus	SuSE Local Security Checks	medium
152732	openSUSE 15 Security Update : go1.16 (openSUSE-SU-2021:2788-1)	Nessus	SuSE Local Security Checks	medium
152714	SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2021:2787-1)	Nessus	SuSE Local Security Checks	medium
152704	SUSE SLED15 / SLES15 Security Update : go1.16 (SUSE-SU-2021:2788-1)	Nessus	SuSE Local Security Checks	medium
152288	FreeBSD : go -- net/http: panic due to racy read of persistConn after handler panic (880552c4-f63f-11eb-9d56-7186043316e9)	Nessus	FreeBSD Local Security Checks	medium

CVE-2021-36221

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

high

medium

medium

medium

medium

medium

medium

medium