Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk4NTYtOWdnOS1xY21x
Ethereum Contains Consensus Flaw During Block Processing
Impact
A vulnerability in the Geth EVM could cause a node to reject the canonical chain.
Description
A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different stateRoot when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.
All Geth versions supporting the London hard fork are vulnerable (which predates London), so all users should update.
This bug was exploited on Mainnet at block 13107518, leading to a minority chain split.
Patches
A patch is included in the v1.10.8 release.
The exact patch to fix the issue is contained within this commit
Workarounds
No workarounds exist, save to update and/or apply the patch commit.
References.
Post-mortem write-up.
Credits
The bug was found by @guidovranken (working for Sentnl during an audit of the Telos EVM) and reported via [email protected].
For more information
If you have any questions or comments about this advisory:
- Open an issue in go-ethereum
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk4NTYtOWdnOS1xY21x
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00074
EPSS Percentile: 0.33513
Identifiers: GHSA-9856-9gg9-qcmq, CVE-2021-39137
References:
- https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq
- https://nvd.nist.gov/vuln/detail/CVE-2021-39137
- https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8
- https://github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f
- https://pkg.go.dev/vuln/GO-2022-0254
- https://github.com/advisories/GHSA-9856-9gg9-qcmq
Blast Radius: 24.9
Affected Packages
go:github.com/ethereum/go-ethereum
Dependent packages: 8,670Dependent repositories: 6,875
Downloads:
Affected Version Ranges: >= 1.10.0, < 1.10.8
Fixed in: 1.10.8
All affected versions: 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7
All unaffected versions: 0.4.1, 0.4.2, 0.4.3, 0.6.0, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.10, 0.7.11, 0.8.4, 0.8.5, 0.9.17, 0.9.18, 0.9.20, 0.9.21, 0.9.22, 0.9.23, 0.9.24, 0.9.25, 0.9.26, 0.9.28, 0.9.30, 0.9.32, 0.9.34, 0.9.36, 0.9.38, 0.9.39, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.2, 1.2.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.8.20, 1.8.21, 1.8.22, 1.8.23, 1.8.24, 1.8.25, 1.8.26, 1.8.27, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.9.11, 1.9.12, 1.9.13, 1.9.14, 1.9.15, 1.9.16, 1.9.17, 1.9.18, 1.9.19, 1.9.20, 1.9.21, 1.9.22, 1.9.23, 1.9.24, 1.9.25, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 1.10.16, 1.10.17, 1.10.18, 1.10.19, 1.10.20, 1.10.21, 1.10.22, 1.10.23, 1.10.24, 1.10.25, 1.10.26, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.13.9, 1.13.10, 1.13.11, 1.13.12, 1.13.13, 1.13.14, 1.13.15, 1.14.0, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11, 1.14.12