Bug 1963232 (CVE-2021-33194) - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment
Summary: CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33194
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1963235 1966749 1966753 1963233 1963234 1963921 1966290 1966291 1966292 1966293 1966294 1966295 1966296 1966297 1966298 1966299 1966300 1966301 1966302 1966303 1966304 1966305 1966306 1966307 1966308 1966309 1966310 1966311 1966312 1966313 1966314 1966315 1966316 1966317 1966318 1966319 1966320 1966321 1966322 1966323 1966324 1966325 1966327 1966330 1966331 1966332 1966750 1966751 1966752 1966754 1966755 1968738 1968739 1968740 1968741 1968742 1968743 1973164 1973165
Blocks: 1963236
TreeView+ depends on / blocked
 
Reported: 2021-05-21 18:03 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-01 00:09 UTC (History)
112 users (show)

Fixed In Version: golang.org/x/net v0.0.0-20210520170846-37e1c6afe023
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest threat to the system is of availability.
Clone Of:
Environment:
Last Closed: 2021-07-28 01:07:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:32:20 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:28:29 UTC
Red Hat Product Errata RHSA-2021:4627 0 None None None 2021-11-15 12:56:47 UTC

Description Guilherme de Almeida Suckevicz 2021-05-21 18:03:41 UTC 
An attacker can craft an input to ParseFragment that would cause it to enter an infinite loop and never return.

References:
https://github.com/golang/go/issues/46288
https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
Comment 1 Guilherme de Almeida Suckevicz 2021-05-21 18:04:26 UTC 
Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 1963235]


Created golang tracking bugs for this issue:

Affects: epel-all [bug 1963233]
Affects: fedora-all [bug 1963234]
Comment 2 Sam Fowler 2021-05-24 06:17:50 UTC 
Upstream patch:

https://go-review.googlesource.com/c/net/+/311090/
Comment 8 Matthew Booth 2021-06-01 09:42:29 UTC 
For anybody else looking at this, I've chosen to close ours WONTFIX due to:

$ go mod why golang.org/x/net/html
# golang.org/x/net/html
k8s.io/cloud-provider-openstack/tests/e2e/csi/cinder
github.com/onsi/gomega
github.com/onsi/gomega/matchers
golang.org/x/net/html/charset
golang.org/x/net/html

We're only pulling this dependency in at all because of a gomega matcher we're not using. Our components don't parse html.
Comment 19 Austin Kimbrell 2021-07-09 20:39:44 UTC 
Updating buildah RHEL affects to 'notaffected' as the vulnerable code is not shipped with the product, just used in testing.
Comment 21 errata-xmlrpc 2021-07-27 22:32:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 22 Product Security DevOps Team 2021-07-28 01:07:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33194
Comment 23 Richard Theis 2021-08-25 20:12:01 UTC 
Hi folks, where can we find status of the fix for previous versions of OpenShift 4?
Comment 25 Rachel A 2021-09-30 12:50:45 UTC 
Can anyone tell me whether CVE-2021-33194 has been fixed in for OpenShift 4.7 and 4.6, and if so which security errata its documented in? I can't see any updated details on https://access.redhat.com/security/cve/cve-2021-33194, only that OpenShift v4 is still affected
Comment 26 Przemyslaw Roguski 2021-10-01 12:25:26 UTC 
(In reply to Rachel A from comment #25)
> Can anyone tell me whether CVE-2021-33194 has been fixed in for OpenShift
> 4.7 and 4.6, and if so which security errata its documented in? I can't see
> any updated details on
> https://access.redhat.com/security/cve/cve-2021-33194, only that OpenShift
> v4 is still affected

CVE-2021-33194 has been classified as a Moderate impact flaw and therefore it won't be addressed in OpenShift (OCP) 4.7 and 4.6 (both these releases are already in the maintenance support phase).
This vulnerability doesn't impact directly majority of OCP components, because even if the golang.org/x/net/html is imported (usually as a dependency) it's not used in the OCP components (the impacted functions are not used).
The future releases of OCP will use new version of Go and will import as well fixed version of golang.org/x/net/html.

In case of further questions please contact Red Hat Product Security team <secalert>.
Comment 27 errata-xmlrpc 2021-10-18 17:28:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759
Comment 28 errata-xmlrpc 2021-11-15 12:56:43 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2021:4627 https://access.redhat.com/errata/RHSA-2021:4627
Note You need to log in before you can comment on or make changes to this bug.