Go programming language design limitation – CVE-2021-44717 (NVD Published Date 1st Jan 2022)

Preface: Golang is useful for carrying out programming for scalable servers and large software systems. The Golang programming language was built to fill in the gaps of C++ and Java that Google came across while working with its servers and distributed systems.

Not limited to Google, well-known cloud businesses such as Dropbox, Terraform, Kubernetes, and Docker also develop applications for the Go programming language.

Go as a language is more similar to C, however in addition to C features, Go offers memory safety, garbage collection, structural typing, and CSP-Style concurrency.

Background: There is a function in syscall package, func ForkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error) that forks and execs a given process with given arguments and additional ProcAttr in which you can define environment and open files. It handles most of the stuff, even the user/group namespaces.

Vulnerability details: There’s a flaw in golang’s syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall[.]ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall[.]ForkExec().

Reference: Fedora has released a security update for golang to fix the vulnerabilities (Affected OS:Fedora 35) – https://bodhi.fedoraproject.org/updates/FEDORA-2021-29943703de

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.