Bug 1856953 (CVE-2020-15586)
| Summary: | CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abonas, admiller, alegrand, alitke, amurdaca, anpicker, aos-bugs, aos-storage-staff, asm, bbennett, bbreard, bbrownin, bmontgom, bodavis, cnv-qe-bugs, deparker, dwalsh, emachado, eparis, erooth, fdeutsch, gbrown, hchiramm, hvyas, imcleod, jburrell, jcajka, jesusr, jligon, jmulligan, jokerman, jpadman, jwon, kakkoyun, kconner, krathod, law, lcosic, lemenkov, madam, markito, miabbott, mloibl, mnewsome, nstielau, oyahud, phoracek, pkrupa, puebele, rcernich, renich, rhs-bugs, rphillips, rrajasek, rtalur, sfowler, sgott, shurley, sponnaga, stirabos, storage-qa-internal, surbania, tstellar, tsweeney, vbatts, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Go 1.14.5, Go 1.13.13, Go 1.15rc1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-08 13:19:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1856956, 1856957, 1859441, 1859442, 1865875, 1866622, 1866623, 1866624, 1866625, 1866626, 1866627, 1866628, 1866629, 1866630, 1866631, 1866632, 1866633, 1866634, 1866635, 1866636, 1866637, 1866638, 1866639, 1866640, 1866641, 1866642, 1866643, 1866644, 1866645, 1866646, 1866647, 1866648, 1866649, 1866650, 1866651, 1866652, 1866653, 1866654, 1866655, 1866656, 1866657, 1866658, 1866660, 1866661, 1866662, 1866663, 1866664, 1866665, 1866666, 1866667, 1866668, 1866669, 1866670, 1866671, 1866672, 1866673, 1866674, 1866675, 1866676, 1866945, 1866946, 1866953, 1867484, 1867485, 1867486, 1867487, 1867488, 1867489, 1867506, 1867507, 1867522, 1867531, 1867532, 1867537, 1867540, 1867541, 1867542, 1867543, 1867557, 1867584, 1867589, 1870132, 1881579, 1883099, 1883100, 1883101, 1883102, 1883103, 1883104, 1883105, 1883106, 1883107, 1883108, 1883109, 1883110, 1883111, 1883112, 1883113, 1883114, 1883115, 1883116, 1883117, 1883118, 1883119, 1883120, 1883121, 1883122, 1883123, 1883124, 1883125, 1883126, 1883127, 1883128, 1883129, 1883130, 1932964, 1932969, 1933013, 1933040, 1933080, 1941198, 1941520, 1941530, 1941540, 1941550, 1941585 | ||
| Bug Blocks: | 1856954 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-07-14 18:47:44 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1856956] Affects: fedora-all [bug 1856957] External References: https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ Statement: OpenShift Container Platform (OCP) components are primarily written in Go, meaning that any component using the net/http package includes the vulnerable code. OCP server endpoints using ReverseProxy are protected by authentication, reducing the severity of this vulnerability to Low for OCP. Similar to OCP, OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization are also primarily written in Go and are protected via authentication, reducing the severity of this vulnerability to Low. Red Hat Gluster Storage 3 and Red Hat Openshift Container Storage 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low. Red Hat Ceph Storage 3 and 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3665 https://access.redhat.com/errata/RHSA-2020:3665 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15586 This issue has been addressed in the following products: RHEL-8-CNV-2.4 RHEL-7-CNV-2.4 Via RHSA-2020:4201 https://access.redhat.com/errata/RHSA-2020:4201 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2020:4214 https://access.redhat.com/errata/RHSA-2020:4214 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:5119 https://access.redhat.com/errata/RHSA-2020:5119 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:5118 https://access.redhat.com/errata/RHSA-2020:5118 This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 Via RHSA-2020:5606 https://access.redhat.com/errata/RHSA-2020:5606 This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 Via RHSA-2020:5605 https://access.redhat.com/errata/RHSA-2020:5605 This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:5649 https://access.redhat.com/errata/RHSA-2020:5649 This issue has been addressed in the following products: OpenShift Serverless 1.9.0 Via RHSA-2021:0072 https://access.redhat.com/errata/RHSA-2021:0072 This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:0713 https://access.redhat.com/errata/RHSA-2021:0713 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0956 https://access.redhat.com/errata/RHSA-2021:0956 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:1016 https://access.redhat.com/errata/RHSA-2021:1016 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2122 https://access.redhat.com/errata/RHSA-2021:2122 This issue has been addressed in the following products: RHEL-7-CNV-4.9 RHEL-8-CNV-4.9 Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103 |