The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.
External References: https://discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263252
Upstream fix: https://github.com/elastic/apm-agent-go/pull/888
Closing Hosted* notaffected.
Statement: Several components in the below products include an old reference to go.elastic.co/apm in their go.sum files, however no code is included. These components are thus not affected by this vulnerability. * OpenShift Container Platform * OpenShift Virtualization * OpenShift Container Storage 4 * Red Hat Advanced Cluster for Kubernetes (RHACM)
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22133