Bug 1965503 (CVE-2021-33196)
| Summary: | CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abishop, admiller, alegrand, alitke, amctagga, amurdaca, anharris, anpicker, aos-bugs, aos-install, asm, bbennett, bmontgom, bniver, bodavis, bthurber, cnv-qe-bugs, deparker, dornelas, dwalsh, dwhatley, dymurray, emachado, eparis, erooth, etamir, fdeutsch, flucifre, gmeno, hchiramm, hvyas, ibolton, jakob, jarrpa, jburrell, jcajka, jcosta, jhadvig, jjoyce, jligon, jmatthew, jmontleo, jmulligan, jnovy, joelsmith, jokerman, jpadman, jschluet, jwendell, jwon, kakkoyun, kaycoth, kconner, krathod, kwiesmul, lball, lemenkov, lhh, lhinds, lmadsen, lmeyer, lpeer, lsm5, madam, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mnewsome, mrunge, mrussell, mthoemme, nalin, nbecker, nstielau, ocs-bugs, phoracek, pkrupa, pkundra, pleimer, pthomas, rcernich, renich, rfreiman, rhcos-triage, rhs-bugs, rhuss, rphillips, rrajasek, rtalur, sabose, sclewis, sgott, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, swshanka, team-winc, tnielsen, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, xxia |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.17.0, go 1.16.5, go 1.15.13 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-01 22:40:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1969342, 1967415, 1967416, 1967417, 1967418, 1967419, 1967420, 1971074, 1972420, 1972421, 1973240, 1973241, 1973242, 1973243, 1973247, 1974331, 1974332, 1975882, 1990701, 1991818, 1999369, 1999370, 1999371 | ||
| Bug Blocks: | 1965506 | ||
|
Description
Pedro Sampaio
2021-05-27 20:09:30 UTC
Upstream: 1.15 - https://golang.org/cl/322949 1.16 - https://golang.org/cl/322909 1.17 - https://golang.org/cl/318909 Checking the entire source code of OpenShift 4, only the following components are using archive/zip (components that share the same github.com/openshift repo are removed): grafana-container/pkg/cmd/grafana-cli openshift-enterprise-console-container/cmd/bridge ose-installer-container/cmd/openshift-install openshift/cmd/clicheck openshift/cmd/gendocs openshift/cmd/genman openshift/cmd/genyaml openshift/cmd/kubectl openshift/cmd/kubectl-convert openshift-clients/cmd/oc openshift-clients/tools/clicheck openshift-clients/tools/gendocs openshift-clients/tools/genman The majority of these are all short lived, client side programs. A crash/panic in client side programs has minimal security impact. The only Go binary from the above list that is executed as a long lived server side process is openshift-enterprise-console-container/cmd/bridge, which is the main binary for the openshift web console. However, this only includes archive/zip via the GetAndExtractZip function in the vendor/github.com/devfile/library directory, which is entirely unused. Thus the impact for all OpenShift components that include archive/zip is Low. While all OpenShift Service Mesh components affected include the vulnerable code, only servicemesh and servicemesh-grafana actually include usage of the affected code in zip.NewReader(). Thus, the impact level for servicemesh-operator and servicemesh-prometheus has been set to Low. This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:2634 https://access.redhat.com/errata/RHSA-2021:2634 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33196 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:2704 https://access.redhat.com/errata/RHSA-2021:2704 This issue has been addressed in the following products: Openshift Serveless 1.16 Via RHSA-2021:2705 https://access.redhat.com/errata/RHSA-2021:2705 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3076 https://access.redhat.com/errata/RHSA-2021:3076 This issue has been addressed in the following products: Red Hat OpenShift Jaeger 1.20 Via RHSA-2021:3229 https://access.redhat.com/errata/RHSA-2021:3229 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.5 Via RHSA-2021:3361 https://access.redhat.com/errata/RHSA-2021:3361 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3758 https://access.redhat.com/errata/RHSA-2021:3758 |