Bug 1989570 (CVE-2021-33197)
| Summary: | CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aadam, abishop, admiller, agerstmayr, ahajkova, ailan, alazar, alegrand, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-bugs, asm, bbaude, bbennett, bdettelb, bmontgom, bniver, bodavis, caswilli, cnv-qe-bugs, dbecker, dbenoit, deparker, dmalcolm, dornelas, dwalsh, dwhatley, dymurray, emachado, eparis, erooth, etamir, fdeutsch, fdupont, flucifre, fweimer, gmeno, godas, grafana-maint, hchiramm, hhorak, hvyas, ibolton, jakob, jakub, jarrpa, jburrell, jcajka, jcosta, jjoyce, jkurik, jligon, jmatthew, jmontleo, jmulligan, jnovy, joelsmith, jokerman, jorton, jpadman, jschluet, jwendell, jwon, kakkoyun, kaycoth, kconner, krathod, kwiesmul, lball, lemenkov, lgamliel, lhh, lhinds, lmadsen, lmeyer, lpeer, lsm5, madam, maszulik, matzew, mbenjamin, mburns, mcermak, mfilanov, mfojtik, mgarciac, mgoodwin, mhackett, mheon, mmagr, mnewsome, mpolacek, mrunge, mrussell, mthoemme, nalin, nathans, nbecker, nstielau, ocs-bugs, ohudlick, opohorel, patrickm, phoracek, pkrupa, pleimer, pthomas, puebele, rcernich, rfreiman, rhcos-triage, rhs-bugs, rhuss, rjones, rphillips, rrajasek, rtalur, sabose, sclewis, sgott, sipoyare, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, team-winc, tnielsen, tomckay, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, virt-maint, xxia |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.16.5, go 1.15.13 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-10 13:29:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1989574, 1986037, 1986041, 1986042, 1986043, 1986044, 1986045, 1986046, 1986047, 1986048, 1986050, 1986056, 1986057, 1986069, 1986070, 1986071, 1986072, 1986073, 1986079, 1986082, 1986084, 1986571, 1986975, 1986976, 1989571, 1989573, 1990214, 1990215, 1990216, 1990217, 1990218, 1990219, 1990220, 1990221, 1992001, 1992002, 1992112, 1992113, 1992114, 1992115, 1992116, 1992117, 1992500, 1992501, 1992516, 1992517, 1992518, 1992519, 1992520, 1992521, 1992522, 1992523, 1992524, 1992525, 1992526, 1992527, 1992528, 1992529, 1992530, 1993403, 1993404, 1993405, 1993406, 1993407, 1993408, 1993409, 2004287, 2057529 | ||
| Bug Blocks: | 1989579 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-08-03 13:31:08 UTC
Created etcd tracking bugs for this issue: Affects: openstack-rdo [bug 1989574] Created golang tracking bugs for this issue: Affects: epel-all [bug 1989571] Affects: fedora-all [bug 1989573] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33197 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:3009 https://access.redhat.com/errata/RHSA-2021:3009 This issue has been addressed in the following products: RHACS-3.64-RHEL-8 Via RHSA-2021:3146 https://access.redhat.com/errata/RHSA-2021:3146 This issue has been addressed in the following products: Red Hat OpenShift Jaeger 1.20 Via RHSA-2021:3229 https://access.redhat.com/errata/RHSA-2021:3229 OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue. https://bugzilla.redhat.com/show_bug.cgi?id=1995785 All the fixes part will be now included in 4.8.7 on 8/30. This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.5 Via RHSA-2021:3361 https://access.redhat.com/errata/RHSA-2021:3361 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:3248 https://access.redhat.com/errata/RHSA-2021:3248 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:3431 https://access.redhat.com/errata/RHSA-2021:3431 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2021:3487 https://access.redhat.com/errata/RHSA-2021:3487 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:3555 https://access.redhat.com/errata/RHSA-2021:3555 This issue has been addressed in the following products: Openshift Serveless 1.17 Via RHSA-2021:3556 https://access.redhat.com/errata/RHSA-2021:3556 This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:3598 https://access.redhat.com/errata/RHSA-2021:3598 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:3820 https://access.redhat.com/errata/RHSA-2021:3820 This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4226 https://access.redhat.com/errata/RHSA-2021:4226 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:5072 https://access.redhat.com/errata/RHSA-2021:5072 This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 Via RHSA-2021:5085 https://access.redhat.com/errata/RHSA-2021:5085 This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 Via RHSA-2021:5086 https://access.redhat.com/errata/RHSA-2021:5086 This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2022:0191 https://access.redhat.com/errata/RHSA-2022:0191 This issue has been addressed in the following products: RHEL-8-CNV-4.10 Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577 This issue has been addressed in the following products: RHEL-8-CNV-4.8 RHEL-7-CNV-4.8 Via RHSA-2022:1329 https://access.redhat.com/errata/RHSA-2022:1329 This issue has been addressed in the following products: RHEL-7-CNV-2.6 RHEL-8-CNV-2.6 Via RHSA-2022:1402 https://access.redhat.com/errata/RHSA-2022:1402 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7954 https://access.redhat.com/errata/RHSA-2022:7954 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8008 https://access.redhat.com/errata/RHSA-2022:8008 |