Golang team reports two vulnerabilities, one critical
Take action: If you are building mpiling Go on Dawin OS (macOS, iOS, watchOS, tvOS, iPadOS, visionOS, and bridgeOS) you should patch your Golang ASAP. It's also wise to update the Golang for any web based applications, but that's a DoS vulnerability, so it will hurt you but it won't hack you. Your choice.
Learn More
The Go programming language team has released security updates to address two vulnerabilities, tracked as CVE-2024-24787 and CVE-2024-24788 that could allow attackers to execute arbitrary code and cause Denial of Service disruptions through infinite loops.
Details of the flaws:
- CVE-2024-24787 (CVSS score 9.8) - Arbitrary Code Execution Vulnerability on Darwin. This vulnerability is triggered by the improper use of the -lto_library flag in the #cgo LDFLAGS directive with Apple’s version of the linker (ld). Attackers can exploit this flaw by loading a malicious LTO (Link Time Optimization) library during the build process, leading to arbitrary code execution.
- The flaw impacts the Go programming environment on Darwin operating systems. (macOS, iOS, watchOS, tvOS, iPadOS, visionOS, and bridgeOS)
- The Go team has patched this vulnerability in versions 1.22.3 and 1.21.10
- CVE-2024-24788 (CVSS score 7.5) - Infinite Loop in DNS Lookup Functions. A specially crafted DNS response can cause Go’s DNS lookup functions to enter an infinite loop, potentially resulting in a Denial-of-Service (DoS) condition.
- The flaw impacts web-facing applications and services using Go for DNS queries
- This issue has been addressed in the latest Go updates, versions 1.22.3 and 1.21.10.
Developers and system administrators are strongly urged to update their Go installations to versions 1.22.3 or 1.21.10.
