Bug 1921650 (CVE-2021-3121) - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
Summary: CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain inde...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3121
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1921792 1924538 1921793 1921794 1921795 1922072 1922073 1922074 1923139 1923140 1923141 1923142 1923143 1923144 1923145 1923146 1923147 1923148 1923149 1923150 1923152 1923153 1923168 1924039 1924416 1924417 1924418 1924419 1924420 1924421 1924422 1924423 1924424 1924425 1924426 1924427 1924428 1924429 1924430 1924431 1924432 1924433 1924434 1924435 1924438 1924439 1924440 1924441 1924442 1924443 1924444 1924445 1924446 1924447 1924448 1924449 1924450 1924451 1924452 1924453 1924454 1924455 1924456 1924457 1924460 1924461 1924462 1924463 1924464 1924465 1924466 1924467 1924468 1924469 1924470 1924471 1924472 1924473 1924474 1924475 1924476 1924477 1924478 1924481 1924482 1924483 1924484 1924485 1924486 1924487 1924488 1924489 1924490 1924491 1924492 1924493 1924494 1924495 1924496 1924497 1924498 1924499 1924500 1924503 1924504 1924505 1924506 1924507 1924508 1924509 1924510 1924512 1924513 1924515 1924517 1924519 1924521 1924523 1924524 1924525 1924526 1924527 1924528 1924530 1924531 1924532 1924533 1924534 1924535 1924537 1924539 1924540 1924541 1924542 1924543 1924544 1924545 1924546 1924547 1924548 1924826 1924830 1924832 1924833 1924834 1924836 1924838 1924839 1924842 1924843 1925409 1925411 1925412 1925413 1925414 1928980 1928981 1928982 1928983 1928984 1928985 1928986 1928987 1929985 1930000 1930001 1930002 1930003 1934095 1934132 1934147 1934154 1934164 1934181 1957534
Blocks: 1921695
TreeView+ depends on / blocked
 
Reported: 2021-01-28 11:41 UTC by Michael Kaplan
Modified: 2023-12-30 04:25 UTC (History)
85 users (show)

Fixed In Version: github.com/gogo/protobuf 1.3.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.
Clone Of:
Environment:
Last Closed: 2021-02-18 19:02:12 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:10:46 UTC
Red Hat Product Errata RHSA-2020:5634 0 None None None 2021-02-24 14:42:13 UTC
Red Hat Product Errata RHSA-2020:5635 0 None None None 2021-02-24 15:01:26 UTC
Red Hat Product Errata RHSA-2021:0607 0 None None None 2021-02-17 18:19:11 UTC
Red Hat Product Errata RHSA-2021:0719 0 None None None 2021-03-04 01:15:46 UTC
Red Hat Product Errata RHSA-2021:0799 0 None None None 2021-03-10 11:16:19 UTC
Red Hat Product Errata RHSA-2021:2286 0 None None None 2021-06-15 09:26:53 UTC
Red Hat Product Errata RHSA-2021:2374 0 None None None 2021-06-14 14:45:40 UTC
Red Hat Product Errata RHSA-2021:2437 0 None None None 2021-07-27 22:07:27 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:31:48 UTC
Red Hat Product Errata RHSA-2021:2920 0 None None None 2021-07-27 14:19:59 UTC
Red Hat Product Errata RHSA-2021:2977 0 None None None 2021-08-11 06:41:11 UTC
Red Hat Product Errata RHSA-2021:3259 0 None None None 2021-08-24 12:49:02 UTC
Red Hat Product Errata RHSA-2021:3262 0 None None None 2021-09-01 18:23:58 UTC
Red Hat Product Errata RHSA-2021:3303 0 None None None 2021-09-08 13:17:57 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:28:18 UTC
Red Hat Product Errata RHSA-2021:4104 0 None None None 2021-11-02 15:57:06 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:01:55 UTC
Red Hat Product Errata RHSA-2022:0283 0 None None None 2022-02-03 05:18:59 UTC
Red Hat Product Errata RHSA-2022:0577 0 None None None 2022-03-28 09:35:49 UTC
Red Hat Product Errata RHSA-2022:1276 0 None None None 2022-04-07 17:58:42 UTC
Red Hat Product Errata RHSA-2022:1679 0 None None None 2022-05-10 15:34:19 UTC
Red Hat Product Errata RHSA-2022:6536 0 None None None 2022-09-20 16:33:39 UTC
Red Hat Product Errata RHSA-2022:6916 0 None None None 2022-10-12 07:57:13 UTC

Description Michael Kaplan 2021-01-28 11:41:35 UTC 
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Comment 5 Mark Cooper 2021-02-01 05:29:52 UTC 
Filing moderate bugs for Jaeger. Jaeger uses protobuf loading the unmarshal plugin, but only uses such for internal communications with no use of unsafe. Additionally the vulnerable skippy code is generated, for example: https://github.com/jaegertracing/jaeger/blob/27cb88fcb276de4bc2450137d17d999cbb802aea/proto-gen/api_v2/collector.pb.go#L394
Comment 12 Sam Fowler 2021-02-02 08:01:16 UTC 
Upstream kubernetes fix:

https://github.com/kubernetes/kubernetes/pull/98477
Comment 25 Matthew Booth 2021-02-04 13:30:35 UTC 
@sfowler I don't think it's sufficiently clear from the filed BZs that the actual vulnerability is in generated code, not in directly linked code. I certainly missed this initially and was about to close our (Shift on Stack) bugs.

My understanding of this issue is that if you unmarshal a type using vendored code which was generated by the vulnerable protobuf, then your application is potentially vulnerable to this issue. Given that this includes k8s.io/api et al, this will be almost everybody. My understanding is that the only fix to this is to revendor all affected modules with a version which has itself updated to *and regenerated with* the fixed gogo/protobuf.

The fix to core kubernetes you linked above is presumably going to hold everybody up here. While this appears to be fixed on master, I couldn't see any evidence of a backport, yet. I think this in turn means this is currently unfixable.

Assuming my understanding here is correct (a bold assumption, not to be made lightly), would it be helpful to:

1. Automatically add a comment to all dependent bugs clarifying this.
2. Re-open any bugs which have already been closed so they can be reassessed in this light.
3. Create bugs for dependent components for which we need backported fixes.
4. Automatically add these dependencies where relevant to all the created bugs.

I'd also be interested in guidance as to whether, in general, we consider this a blocker for 4.7. It sounds to me like we should, but I wouldn't be surprised to hear there's pragmatic context.
Comment 26 Matthew Booth 2021-02-04 13:36:47 UTC 
@sfowler Rereading that comment (after submission, of course!) I think it misses the key point:

Your application is not in the clear just because it doesn't link plugin/unmarshal/unmarshal.go. Your application is not in the clear if it vendors any of the listed modules which themselves generated code using plugin/unmarshal/unmarshal.go. Almost all applications will be affected by this, as it includes k8s.io/api et al.
Comment 28 Matthew Booth 2021-02-04 14:54:53 UTC 
A (hopefully final) thought: under what circumstances are messages marshalled and unmarshalled using protobuf? For example, do regular api calls use protobuf or are they using http/json?
Comment 29 Sam Fowler 2021-02-05 06:15:01 UTC 
@mbooth - I agree with your analysis. Applications are affected if they include code with the Unmarshal() function that was generated by vulnerable versions of gogo/protobuf, e.g. 

```
/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go:
import (
        ...
	proto "github.com/gogo/protobuf/proto"
...
func (m *Status) Unmarshal(dAtA []byte) error
```

The upstream kube fix in master both bumps gogo/protobuf and re-generates the affected code. We can consume the same fix in our components to update our protobuf k8s.io code but I think we will need similar upstream fixes for openshift/api, go.etcd.io/etcd etc.
Comment 66 errata-xmlrpc 2021-02-17 18:19:06 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7

Via RHSA-2021:0607 https://access.redhat.com/errata/RHSA-2021:0607
Comment 67 Mark Cooper 2021-02-18 01:03:55 UTC 
Statement:

OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) all include code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate for OCP, OSSM and RHOSJ.

OpenShift Virtualization includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component of OpenShift Virtualization is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate.

Red Hat Advanced Cluster Management for Kubernetes (RHACM) includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no RHACM component is accepting  protobuf messages from unauthenticated sources and are used with a limited scope, hence this vulnerability is rated Moderate for RHACM.

Red Hat Cluster Application Migration (CAM) includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no CAM component is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate for CAM.
Comment 70 Product Security DevOps Team 2021-02-18 19:02:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3121
Comment 71 errata-xmlrpc 2021-02-24 14:42:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5634 https://access.redhat.com/errata/RHSA-2020:5634
Comment 72 errata-xmlrpc 2021-02-24 15:01:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5635 https://access.redhat.com/errata/RHSA-2020:5635
Comment 73 errata-xmlrpc 2021-02-24 15:10:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
Comment 74 errata-xmlrpc 2021-03-04 01:15:40 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 7

Via RHSA-2021:0719 https://access.redhat.com/errata/RHSA-2021:0719
Comment 75 errata-xmlrpc 2021-03-10 11:16:10 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
Comment 76 errata-xmlrpc 2021-04-05 13:16:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1006 https://access.redhat.com/errata/RHSA-2021:1006
Comment 77 errata-xmlrpc 2021-04-05 13:40:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1007 https://access.redhat.com/errata/RHSA-2021:1007
Comment 78 errata-xmlrpc 2021-04-05 13:55:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1005 https://access.redhat.com/errata/RHSA-2021:1005
Comment 80 errata-xmlrpc 2021-04-26 15:49:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1227 https://access.redhat.com/errata/RHSA-2021:1227
Comment 81 errata-xmlrpc 2021-04-26 16:08:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1225 https://access.redhat.com/errata/RHSA-2021:1225
Comment 84 Siddharth Sharma 2021-05-10 17:57:44 UTC 
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
Comment 88 errata-xmlrpc 2021-05-19 15:12:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1552 https://access.redhat.com/errata/RHSA-2021:1552
Comment 90 errata-xmlrpc 2021-05-24 17:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1563 https://access.redhat.com/errata/RHSA-2021:1563
Comment 91 errata-xmlrpc 2021-05-26 20:07:37 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.0

Via RHSA-2021:2136 https://access.redhat.com/errata/RHSA-2021:2136
Comment 92 errata-xmlrpc 2021-06-01 04:50:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2121 https://access.redhat.com/errata/RHSA-2021:2121
Comment 93 Siddharth Sharma 2021-06-04 18:38:17 UTC 
This bug will be shipped as part of next z-stream release 4.7.15 on June 14th, as 4.7.14 was dropped due to a regression https://bugzilla.redhat.com/show_bug.cgi?id=1967614
Comment 95 errata-xmlrpc 2021-06-14 14:45:35 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.0

Via RHSA-2021:2374 https://access.redhat.com/errata/RHSA-2021:2374
Comment 96 errata-xmlrpc 2021-06-15 09:26:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2286 https://access.redhat.com/errata/RHSA-2021:2286
Comment 97 errata-xmlrpc 2021-07-27 14:19:43 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920
Comment 98 errata-xmlrpc 2021-07-27 22:07:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
Comment 99 errata-xmlrpc 2021-07-27 22:31:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 100 errata-xmlrpc 2021-08-11 06:41:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2977 https://access.redhat.com/errata/RHSA-2021:2977
Comment 102 errata-xmlrpc 2021-08-24 12:48:57 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:3259 https://access.redhat.com/errata/RHSA-2021:3259
Comment 103 errata-xmlrpc 2021-09-01 18:23:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:3262 https://access.redhat.com/errata/RHSA-2021:3262
Comment 104 errata-xmlrpc 2021-09-08 13:17:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:3303 https://access.redhat.com/errata/RHSA-2021:3303
Comment 105 errata-xmlrpc 2021-10-18 17:28:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759
Comment 106 errata-xmlrpc 2021-11-02 15:57:01 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.9

Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104
Comment 108 errata-xmlrpc 2022-02-03 05:18:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:0283 https://access.redhat.com/errata/RHSA-2022:0283
Comment 109 errata-xmlrpc 2022-03-10 16:01:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0056 https://access.redhat.com/errata/RHSA-2022:0056
Comment 110 errata-xmlrpc 2022-03-28 09:35:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
Comment 113 errata-xmlrpc 2022-04-07 17:58:36 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
Comment 114 errata-xmlrpc 2022-05-10 15:34:13 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2022:1679 https://access.redhat.com/errata/RHSA-2022:1679
Comment 116 errata-xmlrpc 2022-09-20 16:33:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6536 https://access.redhat.com/errata/RHSA-2022:6536
Comment 117 errata-xmlrpc 2022-10-12 07:57:06 UTC 
This issue has been addressed in the following products:

  AMQ Broker 7.10.1

Via RHSA-2022:6916 https://access.redhat.com/errata/RHSA-2022:6916
Comment 119 Red Hat Bugzilla 2023-12-30 04:25:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.