Bug 1963232 (CVE-2021-33194)
| Summary: | CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abishop, admiller, agarcial, alazar, alderr, alegrand, alitke, amctagga, amurdaca, anharris, anpicker, aos-bugs, aos-install, aos-network-edge-staff, aos-storage-staff, asm, bbennett, bmontgom, bniver, bodavis, bthurber, cholman, cnv-qe-bugs, deparker, dornelas, dwalsh, emachado, eparis, erooth, fdeutsch, flucifre, gmeno, hchiramm, hvyas, jakob, jburrell, jcajka, jcantril, jhrozek, jjoyce, jlanford, jligon, jmulligan, jnovy, joelsmith, jokerman, josorior, jpadman, jschluet, jwendell, jwon, kakkoyun, kaycoth, kconner, krathod, lball, lemenkov, lgamliel, lhh, lhinds, lmeyer, lpeer, lsm5, madam, maszulik, matzew, mbenjamin, mbooth, mburns, mfilanov, mfojtik, mhackett, mnewsome, mrogers, mrussell, mthoemme, nalin, nstielau, phoracek, pkrupa, proguski, pthomas, rcernich, renich, rfreiman, rhcos-triage, rhs-bugs, rhuss, rphillips, rrajasek, rtalur, rtheis, sclewis, security-response-team, sejug, sgott, slinaber, sostapov, spasquie, sponnaga, stirabos, sttts, team-winc, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, xiyuan, xxia, zkosic |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest threat to the system is of availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-28 01:07:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1963235, 1966749, 1966753, 1963233, 1963234, 1963921, 1966290, 1966291, 1966292, 1966293, 1966294, 1966295, 1966296, 1966297, 1966298, 1966299, 1966300, 1966301, 1966302, 1966303, 1966304, 1966305, 1966306, 1966307, 1966308, 1966309, 1966310, 1966311, 1966312, 1966313, 1966314, 1966315, 1966316, 1966317, 1966318, 1966319, 1966320, 1966321, 1966322, 1966323, 1966324, 1966325, 1966327, 1966330, 1966331, 1966332, 1966750, 1966751, 1966752, 1966754, 1966755, 1968738, 1968739, 1968740, 1968741, 1968742, 1968743, 1973164, 1973165 | ||
| Bug Blocks: | 1963236 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-05-21 18:03:41 UTC
Created etcd tracking bugs for this issue: Affects: openstack-rdo [bug 1963235] Created golang tracking bugs for this issue: Affects: epel-all [bug 1963233] Affects: fedora-all [bug 1963234] Upstream patch: https://go-review.googlesource.com/c/net/+/311090/ For anybody else looking at this, I've chosen to close ours WONTFIX due to: $ go mod why golang.org/x/net/html # golang.org/x/net/html k8s.io/cloud-provider-openstack/tests/e2e/csi/cinder github.com/onsi/gomega github.com/onsi/gomega/matchers golang.org/x/net/html/charset golang.org/x/net/html We're only pulling this dependency in at all because of a gomega matcher we're not using. Our components don't parse html. Updating buildah RHEL affects to 'notaffected' as the vulnerable code is not shipped with the product, just used in testing. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33194 Hi folks, where can we find status of the fix for previous versions of OpenShift 4? Can anyone tell me whether CVE-2021-33194 has been fixed in for OpenShift 4.7 and 4.6, and if so which security errata its documented in? I can't see any updated details on https://access.redhat.com/security/cve/cve-2021-33194, only that OpenShift v4 is still affected (In reply to Rachel A from comment #25) > Can anyone tell me whether CVE-2021-33194 has been fixed in for OpenShift > 4.7 and 4.6, and if so which security errata its documented in? I can't see > any updated details on > https://access.redhat.com/security/cve/cve-2021-33194, only that OpenShift > v4 is still affected CVE-2021-33194 has been classified as a Moderate impact flaw and therefore it won't be addressed in OpenShift (OCP) 4.7 and 4.6 (both these releases are already in the maintenance support phase). This vulnerability doesn't impact directly majority of OCP components, because even if the golang.org/x/net/html is imported (usually as a dependency) it's not used in the OCP components (the impacted functions are not used). The future releases of OCP will use new version of Go and will import as well fixed version of golang.org/x/net/html. In case of further questions please contact Red Hat Product Security team <secalert>. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759 This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2021:4627 https://access.redhat.com/errata/RHSA-2021:4627 |