CVE-2021-44717
published 2022-01-01CVE-2021-44717: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous…
PriorityP427medium4.8CVSS 3.1
AVNACHPRNUINSUCLILAN
EPSS
1.86%
76.6th percentile
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | golang-1.15 | < golang-1.15 1.15.15-1~deb11u2 (bullseye) | golang-1.15 1.15.15-1~deb11u2 (bullseye) |
| golang | go | < 1.16.12 | 1.16.12 |
| golang | go | >= 1.17.0 < 1.17.5 | 1.17.5 |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv4.8MEDIUM
vendor_debian4.8MEDIUM
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
CISA ICS
Siemens Brownfield Connectivity Gateway
cisa_ics·2023-02-16·CVSS 7.5
[HIGH] Siemens Brownfield Connectivity Gateway
ICS Advisory
##
Siemens Brownfield Connectivity Gateway
Release DateFebruary 16, 2023
Alert CodeICSA-23-047-04
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Brownfield Connectivity—Gateway
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Uncontrolled Resource Consumption, Exposure of Resource to Wrong S
Red Hat
golang: syscall: don't close fd 0 on ForkExec error
vendor_redhat·2021-12-09·CVSS 4.8
CVE-2021-44717 [MEDIUM] CWE-200 golang: syscall: don't close fd 0 on ForkExec error
golang: syscall: don't close fd 0 on ForkExec error
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
There's a flaw in golang's syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec().
Statement: * This flaw has had the severity level set to Moderate due to the attack complexity required to exhaust file descriptors at the time ForkExec is called, plus an attacker does
Debian
CVE-2021-44717: golang-1.15 - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an...
vendor_debian·2021·CVSS 4.8
CVE-2021-44717 [MEDIUM] CVE-2021-44717: golang-1.15 - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an...
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
Scope: local
bullseye: resolved (fixed in 1.15.15-1~deb11u2)
OSV
Misdirected I/O in syscall
osv·2022-05-18
CVE-2021-44717 Misdirected I/O in syscall
Misdirected I/O in syscall
When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.
For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.
GHSA
GHSA-x9r7-cjm2-h6cp: Go before 1
ghsa_unreviewed·2022-01-02
CVE-2021-44717 [HIGH] CWE-668 GHSA-x9r7-cjm2-h6cp: Go before 1
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
OSV
CVE-2021-44717: Go before 1
osv·2022-01-01·CVSS 4.8
CVE-2021-44717 [MEDIUM] CVE-2021-44717: Go before 1
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announce/c/hcmEScgc00khttps://lists.debian.org/debian-lts-announce/2022/01/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.htmlhttps://security.gentoo.org/glsa/202208-02https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announce/c/hcmEScgc00khttps://lists.debian.org/debian-lts-announce/2022/01/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.htmlhttps://security.gentoo.org/glsa/202208-02
2022-01-01
Published