Bug 1942553 (CVE-2021-22133) - CVE-2021-22133 go.elastic.co/apm: leaks sensitive HTTP headers during panic
Summary: CVE-2021-22133 go.elastic.co/apm: leaks sensitive HTTP headers during panic
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22133
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1945500
Blocks: 1942559
TreeView+ depends on / blocked
 
Reported: 2021-03-24 14:31 UTC by Michael Kaplan
Modified: 2021-12-22 06:37 UTC (History)
45 users (show)

Fixed In Version: go.elastic.co/apm 1.11.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Elastic APM agent for Go in several versions, where it can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic, it is possible the headers will not be sanitized before being sent. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-07-28 01:07:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:32:06 UTC

Description Michael Kaplan 2021-03-24 14:31:24 UTC 
The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.
Comment 1 Michael Kaplan 2021-03-24 14:31:26 UTC 
External References:

https://discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263252
Comment 2 Sam Fowler 2021-03-29 04:36:19 UTC 
Upstream fix:

https://github.com/elastic/apm-agent-go/pull/888
Comment 7 juneau 2021-04-05 15:18:16 UTC 
Closing Hosted* notaffected.
Comment 8 Borja Tarraso 2021-04-09 06:19:57 UTC 
Statement:

Several components in the below products include an old reference to go.elastic.co/apm in their go.sum files, however no code is included. These components are thus not affected by this vulnerability. 

* OpenShift Container Platform
* OpenShift Virtualization
* OpenShift Container Storage 4
* Red Hat Advanced Cluster for Kubernetes (RHACM)
Comment 9 errata-xmlrpc 2021-07-27 22:32:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 10 Product Security DevOps Team 2021-07-28 01:07:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22133
Note You need to log in before you can comment on or make changes to this bug.