Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2021-38297
CVE-2021-38297:
NixOS vulnerability analysis and mitigation
Overview
CVE-2021-38297 is a buffer overflow vulnerability affecting Go programming language versions before 1.16.9 and 1.17.x before 1.17.2. The vulnerability occurs when invoking functions from WASM (WebAssembly) modules built using GOARCH=wasm GOOS=js configuration, where passing very large arguments can cause portions of the module to be overwritten with data from the arguments (Golang Announce).
Technical details
The vulnerability is triggered when command-line parameters or environment variables exceeding 4096 characters are passed to a Wasm module. This buffer overflow allows an attacker to override the entire contents of the compiled Wasm module and achieve arbitrary Wasm code execution. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, JFrog Analysis).
Impact
The impact severity varies depending on the execution environment. When executed in a web browser, the impact is considered MEDIUM as the attacker's code runs within the browser's JavaScript/Wasm sandbox, similar to an XSS attack. However, when executed in a server-side environment like Node.js, the impact is HIGH as it can lead to full remote code execution with access to the filesystem and ability to execute arbitrary OS-level commands (JFrog Analysis).
Mitigation and workarounds
The primary mitigation is to upgrade to Go version 1.16.9, 1.17.2 or later versions. For users who cannot upgrade, a workaround is available by passing arguments through global variables using the syscall/js package instead of command-line or environment variables. Additionally, when using wasm_exec.js to execute WASM modules, users need to replace their copy after rebuilding any modules (Golang Announce, JFrog Analysis).
Community reactions
Multiple Linux distributions and software vendors have released security advisories and patches for this vulnerability, including Fedora, Debian, and NetApp. The vulnerability has been rated as Critical by the NVD but received varying severity assessments from different organizations, with some considering it less severe due to its specific exploitation requirements (Debian LTS, NetApp Advisory).
Additional resources
Source: This report was generated using AI
Related NixOS vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management