Bug 1942553 (CVE-2021-22133)

Summary: CVE-2021-22133 go.elastic.co/apm: leaks sensitive HTTP headers during panic
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alegrand, anpicker, aos-bugs, aos-install, bbennett, bmontgom, bthurber, cnv-qe-bugs, dbecker, eparis, erooth, fdeutsch, gghezzo, gparvin, hvyas, jburrell, jhrozek, jjoyce, jokerman, josorior, jramanat, jschluet, jweiser, kakkoyun, lcosic, lhh, lpeer, mburns, mrogers, nstielau, oyahud, pdhamdhe, phoracek, pkrupa, rhos-maint, sclewis, shardy, slinaber, sponnaga, stcannon, stirabos, surbania, team-winc, thee, xiyuan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go.elastic.co/apm 1.11.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Elastic APM agent for Go in several versions, where it can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic, it is possible the headers will not be sanitized before being sent. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-28 01:07:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1945500    
Bug Blocks: 1942559    

Description Michael Kaplan 2021-03-24 14:31:24 UTC 
The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.
Comment 1 Michael Kaplan 2021-03-24 14:31:26 UTC 
External References:

https://discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263252
Comment 2 Sam Fowler 2021-03-29 04:36:19 UTC 
Upstream fix:

https://github.com/elastic/apm-agent-go/pull/888
Comment 7 juneau 2021-04-05 15:18:16 UTC 
Closing Hosted* notaffected.
Comment 8 Borja Tarraso 2021-04-09 06:19:57 UTC 
Statement:

Several components in the below products include an old reference to go.elastic.co/apm in their go.sum files, however no code is included. These components are thus not affected by this vulnerability. 

* OpenShift Container Platform
* OpenShift Virtualization
* OpenShift Container Storage 4
* Red Hat Advanced Cluster for Kubernetes (RHACM)
Comment 9 errata-xmlrpc 2021-07-27 22:32:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 10 Product Security DevOps Team 2021-07-28 01:07:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22133