Bug 1989564 (CVE-2021-33195) - CVE-2021-33195 golang: net: lookup functions may return invalid host names
Summary: CVE-2021-33195 golang: net: lookup functions may return invalid host names
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33195
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1986050 1986056 1986057 1989568 1990215 1990218 1990220 1992101 1992104 1992500 1992516 1992517 1992525 1993403 1993406 1993407 1993408 1998344 1986037 1986041 1986042 1986043 1986044 1986045 1986046 1986047 1986048 1986069 1986070 1986071 1986072 1986073 1986079 1986082 1986084 1986571 1986975 1986976 1989565 1989566 1990214 1990216 1990217 1990219 1990221 1992001 1992002 1992003 1992100 1992102 1992103 1992105 1992106 1992107 1992501 1992518 1992519 1992520 1992521 1992522 1992523 1992524 1992526 1992527 1992528 1992529 1992530 1993404 1993405 1999367
Blocks: 1989579
TreeView+ depends on / blocked
 
Reported: 2021-08-03 13:22 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-02 03:56 UTC (History)
137 users (show)

Fixed In Version: go 1.16.5, go 1.15.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed: 2021-08-10 13:29:10 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2983 0 None None None 2021-08-10 11:27:19 UTC
Red Hat Product Errata RHSA-2021:2984 0 None None None 2021-08-10 07:50:16 UTC
Red Hat Product Errata RHSA-2021:3009 0 None None None 2021-08-12 00:38:41 UTC
Red Hat Product Errata RHSA-2021:3146 0 None None None 2021-08-12 01:35:02 UTC
Red Hat Product Errata RHSA-2021:3229 0 None None None 2021-08-19 12:34:00 UTC
Red Hat Product Errata RHSA-2021:3248 0 None None None 2021-08-31 14:59:36 UTC
Red Hat Product Errata RHSA-2021:3361 0 None None None 2021-08-31 08:10:00 UTC
Red Hat Product Errata RHSA-2021:3431 0 None None None 2021-09-07 08:36:10 UTC
Red Hat Product Errata RHSA-2021:3487 0 None None None 2021-09-15 06:38:54 UTC
Red Hat Product Errata RHSA-2021:3555 0 None None None 2021-09-16 15:21:51 UTC
Red Hat Product Errata RHSA-2021:3556 0 None None None 2021-09-16 18:39:44 UTC
Red Hat Product Errata RHSA-2021:3598 0 None None None 2021-09-21 11:06:19 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:28:42 UTC
Red Hat Product Errata RHSA-2021:3820 0 None None None 2021-10-19 20:20:53 UTC
Red Hat Product Errata RHSA-2021:4104 0 None None None 2021-11-02 15:57:18 UTC
Red Hat Product Errata RHSA-2021:4156 0 None None None 2021-11-09 17:25:35 UTC
Red Hat Product Errata RHSA-2021:4226 0 None None None 2021-11-09 17:49:14 UTC

Description Guilherme de Almeida Suckevicz 2021-08-03 13:22:04 UTC
Go before 1.15.12 and 1.16.x before 1.16.5 allows injection.

References:
https://github.com/golang/go/issues/46241
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI

Comment 1 Guilherme de Almeida Suckevicz 2021-08-03 13:22:46 UTC
Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 1989568]


Created golang tracking bugs for this issue:

Affects: epel-all [bug 1989565]
Affects: fedora-all [bug 1989566]

Comment 7 Riccardo Schirone 2021-08-09 13:32:19 UTC
Upstream patch:
https://github.com/golang/go/commit/c89f1224a544cde464fcb86e78ebb0cc97eedba2

Comment 9 errata-xmlrpc 2021-08-10 07:50:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984

Comment 10 errata-xmlrpc 2021-08-10 11:27:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983

Comment 11 Product Security DevOps Team 2021-08-10 13:29:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33195

Comment 15 errata-xmlrpc 2021-08-12 00:38:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:3009 https://access.redhat.com/errata/RHSA-2021:3009

Comment 16 errata-xmlrpc 2021-08-12 01:34:56 UTC
This issue has been addressed in the following products:

  RHACS-3.64-RHEL-8

Via RHSA-2021:3146 https://access.redhat.com/errata/RHSA-2021:3146

Comment 18 errata-xmlrpc 2021-08-19 12:33:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:3229 https://access.redhat.com/errata/RHSA-2021:3229

Comment 19 ximhan 2021-08-20 07:44:34 UTC
OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1995785
All the fixes part will be now included in 4.8.7 on 8/30.

Comment 25 errata-xmlrpc 2021-08-31 08:09:49 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2021:3361 https://access.redhat.com/errata/RHSA-2021:3361

Comment 26 errata-xmlrpc 2021-08-31 14:59:30 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3248 https://access.redhat.com/errata/RHSA-2021:3248

Comment 27 errata-xmlrpc 2021-09-07 08:36:03 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:3431 https://access.redhat.com/errata/RHSA-2021:3431

Comment 28 errata-xmlrpc 2021-09-15 06:38:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3487 https://access.redhat.com/errata/RHSA-2021:3487

Comment 29 errata-xmlrpc 2021-09-16 15:21:45 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:3555 https://access.redhat.com/errata/RHSA-2021:3555

Comment 30 errata-xmlrpc 2021-09-16 18:39:38 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.17

Via RHSA-2021:3556 https://access.redhat.com/errata/RHSA-2021:3556

Comment 31 errata-xmlrpc 2021-09-21 11:06:11 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:3598 https://access.redhat.com/errata/RHSA-2021:3598

Comment 34 errata-xmlrpc 2021-10-18 17:28:36 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759

Comment 35 errata-xmlrpc 2021-10-19 20:20:46 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3820 https://access.redhat.com/errata/RHSA-2021:3820

Comment 36 errata-xmlrpc 2021-11-02 15:57:12 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.9

Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104

Comment 37 errata-xmlrpc 2021-11-09 17:25:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156

Comment 38 errata-xmlrpc 2021-11-09 17:49:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4226 https://access.redhat.com/errata/RHSA-2021:4226


Note You need to log in before you can comment on or make changes to this bug.