Bug 1995656 (CVE-2021-36221) - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
Summary: CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistCo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-36221
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1993407 1995964 1995965 1995969 1995971 1995972 1995973 1995974 1995975 1995976 1995977 1995978 1995981 1995983 1995984 1995985 1995986 1995987 1995988 1995989 1995990 1995991 1995992 1995993 1995994 1995995 1995996 1995997 1995998 1995999 1996000 1996002 1996003 1996004 1996005 1996006 1996007 1996009 1996763 1996772 1997188 1997190 1997191 1997874 1998071 1998072 1998073 1998074 1998075 1998076 1998077 1998078 1998079 1998080 1998107 1998108 1998109 1998110 1998111 1999010 1999416 2000977 2000989 2000990 2000991 2000992 2000993 2000994 1995966 1995967 1995968 1995970 1995979 1995980 1995982 1996001 1996008 1996010 1996761 1996769 1996770 1996771 1996810 1997869 1997870 1997871 1997872 1997873 1997875 1997876 1997877 1999358 1999415 2000978
Blocks: 1995693
TreeView+ depends on / blocked
 
Reported: 2021-08-19 15:04 UTC by Marian Rehak
Modified: 2021-11-23 10:48 UTC (History)
120 users (show)

Fixed In Version: go 1.16.7, go 1.15.15
Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability.
Clone Of:
Environment:
Last Closed: 2021-10-28 09:07:51 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4156 0 None None None 2021-11-09 17:25:54 UTC
Red Hat Product Errata RHSA-2021:4765 0 None None None 2021-11-23 08:43:14 UTC
Red Hat Product Errata RHSA-2021:4766 0 None None None 2021-11-23 10:48:37 UTC

Description Marian Rehak 2021-08-19 15:04:23 UTC
A race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

Reference:

https://github.com/golang/go/issues/46866

Comment 11 Summer Long 2021-08-26 00:28:25 UTC
Created golang tracking bugs for this issue:

Affects: openstack-rdo [bug 1997874]

Comment 20 Marian Rehak 2021-08-31 07:12:28 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1999416]
Affects: fedora-all [bug 1999415]

Comment 29 Fedora Update System 2021-09-15 18:19:51 UTC
FEDORA-2021-38b51d9fd3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 34 errata-xmlrpc 2021-11-09 17:25:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156

Comment 35 errata-xmlrpc 2021-11-23 08:43:08 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:4765 https://access.redhat.com/errata/RHSA-2021:4765

Comment 36 errata-xmlrpc 2021-11-23 10:48:32 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.19

Via RHSA-2021:4766 https://access.redhat.com/errata/RHSA-2021:4766


Note You need to log in before you can comment on or make changes to this bug.