Security News > 2021 > January > Google fixes severe Golang Windows RCE vulnerability
This month Google engineers have fixed a severe remote code execution vulnerability in the Go language.
The RCE vulnerability, CVE-2021-3115, mainly impacts Windows users of Go running the go get command, due to the default behavior of Windows PATH lookups.
If you type netstat in a Windows command prompt, Windows would first look around for a netstat.
Should no netstat exist in the current folder, only then would the Windows shell look for the netstat system utility, the location of which exists on the Windows %PATH% variable.
For consistency, Golang binaries imitate Unix rules on Unix systems, and Windows rules on Windows.
The Golang team at Google has fixed the vulnerability and users are advised to upgrade their instances.
News URL
https://www.bleepingcomputer.com/news/security/google-fixes-severe-golang-windows-rce-vulnerability/
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Patching problems: The “return” of a Windows Themes spoofing vulnerability (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System (source)
- Google patches actively exploited Android vulnerability (CVE-2024-43093) (source)
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-26 | CVE-2021-3115 | Uncontrolled Search Path Element vulnerability in multiple products Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). | 7.5 |