Bug 2030806 (CVE-2021-44717)

Summary:	CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error
Product:	[Other] Security Response	Reporter:	Guilherme de Almeida Suckevicz <gsuckevi>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	abishop, admiller, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-install, apevec, asm, bbennett, bdettelb, bmontgom, bniver, bodavis, caswilli, cnv-qe-bugs, crarobin, dbecker, dbenoit, dholler, dornelas, dwalsh, dwhatley, dymurray, emachado, eparis, erooth, etamir, fdeutsch, fdupont, fjansen, flucifre, gmeno, godas, hchiramm, hvyas, ibolton, jaharrin, jakob, jarrpa, jburrell, jcajka, jeder, jjoyce, jligon, jmadigan, jmatthew, jmontleo, jmulligan, jnovy, joelsmith, jokerman, jpadman, jschluet, jwendell, jwong, jwon, kaycoth, krathod, lball, lemenkov, lhh, lhinds, lmadsen, lmeyer, lpeer, lsm5, madam, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mkleinhe, mmagr, mnewsome, mpatel, mrunge, mrussell, mwringe, nbecker, ngough, nobody, nstielau, ocs-bugs, pamccart, phoracek, ploffay, rcernich, rfreiman, rhcos-triage, rhos-maint, rhs-bugs, rhuss, rphillips, rrajasek, rtalur, sabose, sclewis, sgott, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, tcarlin, tnielsen, tstellar, tsweeney, twalsh, vereddy, vkumar, xxia
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	Go 1.17.5, Go 1.16.12	Doc Type:	If docs needed, set a value
Doc Text:	There's a flaw in golang's syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec().	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-11 19:45:27 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2030809, 2013628, 2030808, 2030810, 2030851, 2031256, 2031257, 2031258, 2031614, 2031615, 2031616, 2031617, 2031618, 2031619, 2031620, 2031621, 2031622, 2031623, 2031624, 2031625, 2031626, 2031627, 2031628, 2031629, 2031923, 2032330, 2032331, 2032332, 2032333, 2032334, 2032335, 2032337, 2032338, 2032339, 2032340, 2032341, 2032342, 2032343, 2032346, 2032347, 2032348, 2032349, 2032350, 2032351, 2032352, 2032353, 2032354, 2032355, 2032356, 2032357, 2032358, 2032359, 2032360, 2032361, 2032362, 2032363, 2032367, 2032368, 2032369, 2032370, 2032372, 2032373, 2032374, 2032375, 2032376, 2032377, 2032379, 2032380, 2032381, 2032382, 2032383, 2032384, 2032385, 2032386, 2032387, 2032388, 2032389, 2032390, 2032391, 2032392, 2032393, 2032394, 2032395, 2032396, 2032397, 2032398, 2032442, 2032443, 2032444, 2032445, 2032446, 2032954, 2033305, 2033306, 2033831, 2033832, 2033833, 2033834, 2033835, 2033836, 2035253, 2035255, 2035256, 2043455, 2043456, 2043457, 2043458, 2043459, 2043460, 2043461, 2043465, 2043466, 2043467, 2043470, 2093169
Bug Blocks:	2030812

Description Guilherme de Almeida Suckevicz 2021-12-09 18:41:07 UTC

When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

Reference:
https://github.com/golang/go/issues/50057

Comment 1 Guilherme de Almeida Suckevicz 2021-12-09 18:41:49 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2030808]
Affects: fedora-all [bug 2030810]
Affects: openstack-rdo [bug 2030809]

Comment 3 Summer Long 2021-12-10 00:34:16 UTC

Upstream commits: https://go-review.googlesource.com/c/go/+/370577/
Upstream commits: https://go-review.googlesource.com/c/go/+/370576/

Comment 13 errata-xmlrpc 2021-12-15 16:28:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5160 https://access.redhat.com/errata/RHSA-2021:5160

Comment 14 errata-xmlrpc 2021-12-16 10:52:06 UTC

This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:5176 https://access.redhat.com/errata/RHSA-2021:5176

Comment 28 errata-xmlrpc 2022-03-10 13:16:17 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0055 https://access.redhat.com/errata/RHSA-2022:0055

Comment 29 errata-xmlrpc 2022-03-10 16:02:11 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0056 https://access.redhat.com/errata/RHSA-2022:0056

Comment 30 errata-xmlrpc 2022-03-16 15:50:41 UTC

This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947

Comment 31 errata-xmlrpc 2022-03-21 12:05:45 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0927 https://access.redhat.com/errata/RHSA-2022:0927

Comment 32 errata-xmlrpc 2022-03-24 15:02:38 UTC

This issue has been addressed in the following products:

  Openshift Serveless 1.21

Via RHSA-2022:1051 https://access.redhat.com/errata/RHSA-2022:1051

Comment 33 errata-xmlrpc 2022-03-24 15:19:52 UTC

This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:1056 https://access.redhat.com/errata/RHSA-2022:1056

Comment 34 errata-xmlrpc 2022-04-13 15:31:35 UTC

This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361

Comment 35 errata-xmlrpc 2022-04-13 18:49:28 UTC

This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372

Comment 37 errata-xmlrpc 2022-05-05 13:49:53 UTC

This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:1734 https://access.redhat.com/errata/RHSA-2022:1734

Comment 39 Product Security DevOps Team 2022-05-11 19:45:21 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44717

Comment 41 errata-xmlrpc 2022-09-14 19:27:17 UTC

This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526

Comment 42 errata-xmlrpc 2023-01-24 12:48:47 UTC

This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407

Comment 43 errata-xmlrpc 2023-01-24 13:34:18 UTC

This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408