Bug 1989570 (CVE-2021-33197) - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
Summary: CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection he...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33197
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1989574 1986037 1986041 1986042 1986043 1986044 1986045 1986046 1986047 1986048 1986050 1986056 1986057 1986069 1986070 1986071 1986072 1986073 1986079 1986082 1986084 1986571 1986975 1986976 1989571 1989573 1990214 1990215 1990216 1990217 1990218 1990219 1990220 1990221 1992001 1992002 1992112 1992113 1992114 1992115 1992116 1992117 1992500 1992501 1992516 1992517 1992518 1992519 1992520 1992521 1992522 1992523 1992524 1992525 1992526 1992527 1992528 1992529 1992530 1993403 1993404 1993405 1993406 1993407 1993408 1993409 2004287 2057529
Blocks: 1989579
TreeView+ depends on / blocked
 
Reported: 2021-08-03 13:31 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-01 00:55 UTC (History)
144 users (show)

Fixed In Version: go 1.16.5, go 1.15.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed: 2021-08-10 13:29:19 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2983 0 None None None 2021-08-10 11:27:09 UTC
Red Hat Product Errata RHSA-2021:2984 0 None None None 2021-08-10 07:50:33 UTC
Red Hat Product Errata RHSA-2021:3009 0 None None None 2021-08-12 00:38:44 UTC
Red Hat Product Errata RHSA-2021:3146 0 None None None 2021-08-12 01:35:03 UTC
Red Hat Product Errata RHSA-2021:3229 0 None None None 2021-08-19 12:34:11 UTC
Red Hat Product Errata RHSA-2021:3248 0 None None None 2021-08-31 14:59:49 UTC
Red Hat Product Errata RHSA-2021:3361 0 None None None 2021-08-31 08:09:56 UTC
Red Hat Product Errata RHSA-2021:3431 0 None None None 2021-09-07 08:36:10 UTC
Red Hat Product Errata RHSA-2021:3487 0 None None None 2021-09-15 06:39:02 UTC
Red Hat Product Errata RHSA-2021:3555 0 None None None 2021-09-16 15:22:03 UTC
Red Hat Product Errata RHSA-2021:3556 0 None None None 2021-09-16 18:39:54 UTC
Red Hat Product Errata RHSA-2021:3598 0 None None None 2021-09-21 11:06:34 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:28:48 UTC
Red Hat Product Errata RHSA-2021:3820 0 None None None 2021-10-19 20:20:55 UTC
Red Hat Product Errata RHSA-2021:4104 0 None None None 2021-11-02 15:57:20 UTC
Red Hat Product Errata RHSA-2021:4156 0 None None None 2021-11-09 17:25:40 UTC
Red Hat Product Errata RHSA-2021:4226 0 None None None 2021-11-09 17:49:27 UTC
Red Hat Product Errata RHSA-2021:5072 0 None None None 2021-12-09 20:17:16 UTC
Red Hat Product Errata RHSA-2021:5085 0 None None None 2021-12-13 15:26:43 UTC
Red Hat Product Errata RHSA-2021:5086 0 None None None 2021-12-13 17:44:11 UTC
Red Hat Product Errata RHSA-2022:0191 0 None None None 2022-01-19 17:49:52 UTC
Red Hat Product Errata RHSA-2022:0577 0 None None None 2022-03-28 09:36:15 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:48:26 UTC
Red Hat Product Errata RHSA-2022:1329 0 None None None 2022-04-12 15:08:00 UTC
Red Hat Product Errata RHSA-2022:1402 0 None None None 2022-04-19 13:33:30 UTC
Red Hat Product Errata RHSA-2022:7954 0 None None None 2022-11-15 09:47:56 UTC
Red Hat Product Errata RHSA-2022:8008 0 None None None 2022-11-15 09:57:08 UTC

Description Guilherme de Almeida Suckevicz 2021-08-03 13:31:08 UTC
Go before 1.15.12 and 1.16.x before 1.16.5 acts as an Unintended Proxy or Intermediary.

References:
https://github.com/golang/go/issues/46313
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI

Comment 1 Guilherme de Almeida Suckevicz 2021-08-03 13:31:50 UTC
Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 1989574]


Created golang tracking bugs for this issue:

Affects: epel-all [bug 1989571]
Affects: fedora-all [bug 1989573]

Comment 5 errata-xmlrpc 2021-08-10 07:50:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984

Comment 6 errata-xmlrpc 2021-08-10 11:27:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983

Comment 7 Product Security DevOps Team 2021-08-10 13:29:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33197

Comment 12 errata-xmlrpc 2021-08-12 00:38:36 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:3009 https://access.redhat.com/errata/RHSA-2021:3009

Comment 13 errata-xmlrpc 2021-08-12 01:34:57 UTC
This issue has been addressed in the following products:

  RHACS-3.64-RHEL-8

Via RHSA-2021:3146 https://access.redhat.com/errata/RHSA-2021:3146

Comment 15 errata-xmlrpc 2021-08-19 12:34:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:3229 https://access.redhat.com/errata/RHSA-2021:3229

Comment 16 ximhan 2021-08-20 07:44:34 UTC
OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1995785
All the fixes part will be now included in 4.8.7 on 8/30.

Comment 20 errata-xmlrpc 2021-08-31 08:09:51 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2021:3361 https://access.redhat.com/errata/RHSA-2021:3361

Comment 21 errata-xmlrpc 2021-08-31 14:59:41 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3248 https://access.redhat.com/errata/RHSA-2021:3248

Comment 22 errata-xmlrpc 2021-09-07 08:36:03 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:3431 https://access.redhat.com/errata/RHSA-2021:3431

Comment 24 errata-xmlrpc 2021-09-15 06:38:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3487 https://access.redhat.com/errata/RHSA-2021:3487

Comment 25 errata-xmlrpc 2021-09-16 15:21:58 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:3555 https://access.redhat.com/errata/RHSA-2021:3555

Comment 26 errata-xmlrpc 2021-09-16 18:39:49 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.17

Via RHSA-2021:3556 https://access.redhat.com/errata/RHSA-2021:3556

Comment 27 errata-xmlrpc 2021-09-21 11:06:26 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:3598 https://access.redhat.com/errata/RHSA-2021:3598

Comment 30 errata-xmlrpc 2021-10-18 17:28:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759

Comment 31 errata-xmlrpc 2021-10-19 20:20:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3820 https://access.redhat.com/errata/RHSA-2021:3820

Comment 32 errata-xmlrpc 2021-11-02 15:57:13 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.9

Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104

Comment 33 errata-xmlrpc 2021-11-09 17:25:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156

Comment 34 errata-xmlrpc 2021-11-09 17:49:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4226 https://access.redhat.com/errata/RHSA-2021:4226

Comment 36 errata-xmlrpc 2021-12-09 20:17:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5072 https://access.redhat.com/errata/RHSA-2021:5072

Comment 37 errata-xmlrpc 2021-12-13 15:26:36 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8

Via RHSA-2021:5085 https://access.redhat.com/errata/RHSA-2021:5085

Comment 38 errata-xmlrpc 2021-12-13 17:44:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8

Via RHSA-2021:5086 https://access.redhat.com/errata/RHSA-2021:5086

Comment 39 errata-xmlrpc 2022-01-19 17:49:46 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.9

Via RHSA-2022:0191 https://access.redhat.com/errata/RHSA-2022:0191

Comment 40 errata-xmlrpc 2022-03-16 15:48:19 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947

Comment 41 errata-xmlrpc 2022-03-28 09:36:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577

Comment 42 errata-xmlrpc 2022-04-12 15:07:52 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8
  RHEL-7-CNV-4.8

Via RHSA-2022:1329 https://access.redhat.com/errata/RHSA-2022:1329

Comment 43 errata-xmlrpc 2022-04-19 13:33:24 UTC
This issue has been addressed in the following products:

  RHEL-7-CNV-2.6
  RHEL-8-CNV-2.6

Via RHSA-2022:1402 https://access.redhat.com/errata/RHSA-2022:1402

Comment 44 errata-xmlrpc 2022-11-15 09:47:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7954 https://access.redhat.com/errata/RHSA-2022:7954

Comment 45 errata-xmlrpc 2022-11-15 09:57:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8008 https://access.redhat.com/errata/RHSA-2022:8008


Note You need to log in before you can comment on or make changes to this bug.