Bug 1921650 (CVE-2021-3121)
Summary: | CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | adam.kaplan, agarcial, alegrand, amurdaca, anpicker, aos-bugs, aos-install, aos-network-edge-staff, aos-storage-staff, aos-team-ota, ataylor, bbennett, bbrownin, bmontgom, bthurber, cbyrne, chazlett, cmoore, cnv-qe-bugs, dgoodwin, dramseur, dwalsh, dwhatley, eparis, erooth, ewolinet, fdeutsch, ganandan, gghezzo, hvyas, inecas, jcosta, jesusr, jhadvig, jhunter, jlanford, jmencak, jochrist, jokerman, jramanat, jweiser, jwendell, jwon, kakkoyun, kconner, kmitts, krathod, kwalsh, lcosic, markito, maszulik, mbooth, mfojtik, mgala, mjudeiki, mklika, mschuppe, nstielau, obulatov, oyahud, pkrupa, proguski, rcernich, rphillips, rrajasek, sanchezl, sbatsche, sd-operator-metering, sejug, sfowler, shardy, slaznick, sponnaga, sttts, surbania, swshanka, team-winc, tflannag, thee, tremes, tsweeney, twalsh, wking, xxia, zkosic |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | github.com/gogo/protobuf 1.3.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-18 19:02:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1921792, 1921793, 1921794, 1921795, 1922072, 1922073, 1922074, 1923139, 1923140, 1923141, 1923142, 1923143, 1923144, 1923145, 1923146, 1923147, 1923148, 1923149, 1923150, 1923152, 1923153, 1923168, 1924039, 1924416, 1924417, 1924418, 1924419, 1924420, 1924421, 1924422, 1924423, 1924424, 1924425, 1924426, 1924427, 1924428, 1924429, 1924430, 1924431, 1924432, 1924433, 1924434, 1924435, 1924438, 1924439, 1924440, 1924441, 1924442, 1924443, 1924444, 1924445, 1924446, 1924447, 1924448, 1924449, 1924450, 1924451, 1924452, 1924453, 1924454, 1924455, 1924456, 1924457, 1924460, 1924461, 1924462, 1924463, 1924464, 1924465, 1924466, 1924467, 1924468, 1924469, 1924470, 1924471, 1924472, 1924473, 1924474, 1924475, 1924476, 1924477, 1924478, 1924481, 1924482, 1924483, 1924484, 1924485, 1924486, 1924487, 1924488, 1924489, 1924490, 1924491, 1924492, 1924493, 1924494, 1924495, 1924496, 1924497, 1924498, 1924499, 1924500, 1924503, 1924504, 1924505, 1924506, 1924507, 1924508, 1924509, 1924510, 1924512, 1924513, 1924515, 1924517, 1924519, 1924521, 1924523, 1924524, 1924525, 1924526, 1924527, 1924528, 1924530, 1924531, 1924532, 1924533, 1924534, 1924535, 1924537, 1924538, 1924539, 1924540, 1924541, 1924542, 1924543, 1924544, 1924545, 1924546, 1924547, 1924548, 1924826, 1924830, 1924832, 1924833, 1924834, 1924836, 1924838, 1924839, 1924842, 1924843, 1925409, 1925411, 1925412, 1925413, 1925414, 1928980, 1928981, 1928982, 1928983, 1928984, 1928985, 1928986, 1928987, 1929985, 1930000, 1930001, 1930002, 1930003, 1934095, 1934132, 1934147, 1934154, 1934164, 1934181, 1957534 | ||
Bug Blocks: | 1921695 |
Description
Michael Kaplan
2021-01-28 11:41:35 UTC
Filing moderate bugs for Jaeger. Jaeger uses protobuf loading the unmarshal plugin, but only uses such for internal communications with no use of unsafe. Additionally the vulnerable skippy code is generated, for example: https://github.com/jaegertracing/jaeger/blob/27cb88fcb276de4bc2450137d17d999cbb802aea/proto-gen/api_v2/collector.pb.go#L394 Upstream kubernetes fix: https://github.com/kubernetes/kubernetes/pull/98477 @sfowler I don't think it's sufficiently clear from the filed BZs that the actual vulnerability is in generated code, not in directly linked code. I certainly missed this initially and was about to close our (Shift on Stack) bugs. My understanding of this issue is that if you unmarshal a type using vendored code which was generated by the vulnerable protobuf, then your application is potentially vulnerable to this issue. Given that this includes k8s.io/api et al, this will be almost everybody. My understanding is that the only fix to this is to revendor all affected modules with a version which has itself updated to *and regenerated with* the fixed gogo/protobuf. The fix to core kubernetes you linked above is presumably going to hold everybody up here. While this appears to be fixed on master, I couldn't see any evidence of a backport, yet. I think this in turn means this is currently unfixable. Assuming my understanding here is correct (a bold assumption, not to be made lightly), would it be helpful to: 1. Automatically add a comment to all dependent bugs clarifying this. 2. Re-open any bugs which have already been closed so they can be reassessed in this light. 3. Create bugs for dependent components for which we need backported fixes. 4. Automatically add these dependencies where relevant to all the created bugs. I'd also be interested in guidance as to whether, in general, we consider this a blocker for 4.7. It sounds to me like we should, but I wouldn't be surprised to hear there's pragmatic context. @sfowler Rereading that comment (after submission, of course!) I think it misses the key point: Your application is not in the clear just because it doesn't link plugin/unmarshal/unmarshal.go. Your application is not in the clear if it vendors any of the listed modules which themselves generated code using plugin/unmarshal/unmarshal.go. Almost all applications will be affected by this, as it includes k8s.io/api et al. A (hopefully final) thought: under what circumstances are messages marshalled and unmarshalled using protobuf? For example, do regular api calls use protobuf or are they using http/json? @mbooth - I agree with your analysis. Applications are affected if they include code with the Unmarshal() function that was generated by vulnerable versions of gogo/protobuf, e.g. ``` /vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go: import ( ... proto "github.com/gogo/protobuf/proto" ... func (m *Status) Unmarshal(dAtA []byte) error ``` The upstream kube fix in master both bumps gogo/protobuf and re-generates the affected code. We can consume the same fix in our components to update our protobuf k8s.io code but I think we will need similar upstream fixes for openshift/api, go.etcd.io/etcd etc. This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7 Via RHSA-2021:0607 https://access.redhat.com/errata/RHSA-2021:0607 Statement: OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) all include code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate for OCP, OSSM and RHOSJ. OpenShift Virtualization includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component of OpenShift Virtualization is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate. Red Hat Advanced Cluster Management for Kubernetes (RHACM) includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no RHACM component is accepting protobuf messages from unauthenticated sources and are used with a limited scope, hence this vulnerability is rated Moderate for RHACM. Red Hat Cluster Application Migration (CAM) includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no CAM component is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate for CAM. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3121 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5634 https://access.redhat.com/errata/RHSA-2020:5634 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5635 https://access.redhat.com/errata/RHSA-2020:5635 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 7 Via RHSA-2021:0719 https://access.redhat.com/errata/RHSA-2021:0719 This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1006 https://access.redhat.com/errata/RHSA-2021:1006 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1007 https://access.redhat.com/errata/RHSA-2021:1007 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1005 https://access.redhat.com/errata/RHSA-2021:1005 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1227 https://access.redhat.com/errata/RHSA-2021:1227 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1225 https://access.redhat.com/errata/RHSA-2021:1225 This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1552 https://access.redhat.com/errata/RHSA-2021:1552 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1563 https://access.redhat.com/errata/RHSA-2021:1563 This issue has been addressed in the following products: OpenShift Logging 5.0 Via RHSA-2021:2136 https://access.redhat.com/errata/RHSA-2021:2136 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2121 https://access.redhat.com/errata/RHSA-2021:2121 This bug will be shipped as part of next z-stream release 4.7.15 on June 14th, as 4.7.14 was dropped due to a regression https://bugzilla.redhat.com/show_bug.cgi?id=1967614 This issue has been addressed in the following products: OpenShift Logging 5.0 Via RHSA-2021:2374 https://access.redhat.com/errata/RHSA-2021:2374 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2286 https://access.redhat.com/errata/RHSA-2021:2286 This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2977 https://access.redhat.com/errata/RHSA-2021:2977 This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:3259 https://access.redhat.com/errata/RHSA-2021:3259 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:3262 https://access.redhat.com/errata/RHSA-2021:3262 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:3303 https://access.redhat.com/errata/RHSA-2021:3303 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759 This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:0283 https://access.redhat.com/errata/RHSA-2022:0283 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0056 https://access.redhat.com/errata/RHSA-2022:0056 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577 This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276 This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2022:1679 https://access.redhat.com/errata/RHSA-2022:1679 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2022:6536 https://access.redhat.com/errata/RHSA-2022:6536 This issue has been addressed in the following products: AMQ Broker 7.10.1 Via RHSA-2022:6916 https://access.redhat.com/errata/RHSA-2022:6916 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |