Bug 1995656 (CVE-2021-36221)

Summary: CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aadam, abishop, admiller, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-bugs, asm, bbaude, bbennett, bdettelb, bmontgom, bniver, bodavis, caswilli, cnv-qe-bugs, dbecker, dbenoit, deparker, dornelas, dwalsh, dymurray, emachado, eparis, erooth, etamir, fcanogab, fdeutsch, fdupont, fjansen, flucifre, gmeno, godas, hchiramm, hvyas, ibolton, jakob, jarrpa, jburrell, jcajka, jcosta, jjoyce, jligon, jmatthew, jmontleo, jmulligan, jnakfour, jnovy, joelsmith, jokerman, jpadman, jschluet, jwendell, jwon, kaycoth, krathod, lball, lemenkov, lgamliel, lhh, lhinds, lmadsen, lmeyer, lpeer, lsm5, madam, maszulik, matzew, mbenjamin, mburns, mfilanov, mfojtik, mgarciac, mhackett, mheon, mmagr, mnewsome, mrunge, mrussell, mthoemme, mwringe, nalin, nbecker, nstielau, ocs-bugs, phoracek, pleimer, ploffay, pthomas, puebele, rcernich, rfreiman, rhcos-triage, rhs-bugs, rhuss, rphillips, rrajasek, rtalur, sabose, sbatsche, sclewis, sgott, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, team-winc, tnielsen, tomckay, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.16.7, go 1.15.15 Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 09:07:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1997190, 1997874, 1993407, 1995964, 1995965, 1995966, 1995967, 1995968, 1995969, 1995970, 1995971, 1995972, 1995973, 1995974, 1995975, 1995976, 1995977, 1995978, 1995979, 1995980, 1995981, 1995982, 1995983, 1995984, 1995985, 1995986, 1995987, 1995988, 1995989, 1995990, 1995991, 1995992, 1995993, 1995994, 1995995, 1995996, 1995997, 1995998, 1995999, 1996000, 1996001, 1996002, 1996003, 1996004, 1996005, 1996006, 1996007, 1996008, 1996009, 1996010, 1996761, 1996763, 1996769, 1996770, 1996771, 1996772, 1996810, 1997188, 1997191, 1997869, 1997870, 1997871, 1997872, 1997873, 1997875, 1997876, 1997877, 1998071, 1998072, 1998073, 1998074, 1998075, 1998076, 1998077, 1998078, 1998079, 1998080, 1998107, 1998108, 1998109, 1998110, 1998111, 1999010, 1999358, 1999415, 1999416, 2000977, 2000978, 2000989, 2000990, 2000991, 2000992, 2000993, 2000994, 2057167    
Bug Blocks: 1995693    

Description Marian Rehak 2021-08-19 15:04:23 UTC 
A race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

Reference:

https://github.com/golang/go/issues/46866
Comment 3 Przemyslaw Roguski 2021-08-20 10:37:52 UTC 
Upstream Go PRs:
https://github.com/golang/go/commit/accf363d5da864521c90b152fb734f3f15e00521 for Go 1.16
https://github.com/golang/go/commit/ba93baa74a52d57ae79313313ea990cc791ef50e for Go 1.15
Comment 11 Summer Long 2021-08-26 00:28:25 UTC 
Created golang tracking bugs for this issue:

Affects: openstack-rdo [bug 1997874]
Comment 20 Marian Rehak 2021-08-31 07:12:28 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1999416]
Affects: fedora-all [bug 1999415]
Comment 29 Fedora Update System 2021-09-15 18:19:51 UTC 
FEDORA-2021-38b51d9fd3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 34 errata-xmlrpc 2021-11-09 17:25:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156
Comment 35 errata-xmlrpc 2021-11-23 08:43:08 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:4765 https://access.redhat.com/errata/RHSA-2021:4765
Comment 36 errata-xmlrpc 2021-11-23 10:48:32 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.19

Via RHSA-2021:4766 https://access.redhat.com/errata/RHSA-2021:4766
Comment 37 errata-xmlrpc 2022-01-27 16:56:48 UTC 
This issue has been addressed in the following products:

  Red Hat Openshit distributed tracing 2.1

Via RHSA-2022:0318 https://access.redhat.com/errata/RHSA-2022:0318
Comment 39 errata-xmlrpc 2022-02-23 12:51:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0557 https://access.redhat.com/errata/RHSA-2022:0557
Comment 40 errata-xmlrpc 2022-02-23 13:56:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0561 https://access.redhat.com/errata/RHSA-2022:0561
Comment 41 errata-xmlrpc 2022-03-14 10:24:20 UTC 
This issue has been addressed in the following products:

  OSE-OSC-1.2.0-RHEL-8

Via RHSA-2022:0855 https://access.redhat.com/errata/RHSA-2022:0855
Comment 42 errata-xmlrpc 2022-03-16 15:50:09 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947
Comment 43 errata-xmlrpc 2022-03-28 09:36:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
Comment 44 errata-xmlrpc 2022-04-07 17:58:49 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
Comment 45 errata-xmlrpc 2022-04-13 15:30:47 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361
Comment 46 errata-xmlrpc 2022-04-13 18:49:11 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372
Comment 47 errata-xmlrpc 2022-04-19 10:21:44 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2022:1396 https://access.redhat.com/errata/RHSA-2022:1396
Comment 49 errata-xmlrpc 2022-05-18 20:26:43 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:4668 https://access.redhat.com/errata/RHSA-2022:4668
Comment 50 errata-xmlrpc 2022-11-08 09:11:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457