Bug 1995656 (CVE-2021-36221) - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
Summary: CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistCo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-36221
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1996772 1997190 1997874 1993407 1995964 1995965 1995966 1995967 1995968 1995969 1995970 1995971 1995972 1995973 1995974 1995975 1995976 1995977 1995978 1995979 1995980 1995981 1995982 1995983 1995984 1995985 1995986 1995987 1995988 1995989 1995990 1995991 1995992 1995993 1995994 1995995 1995996 1995997 1995998 1995999 1996000 1996001 1996002 1996003 1996004 1996005 1996006 1996007 1996008 1996009 1996010 1996761 1996763 1996769 1996770 1996771 1996810 1997188 1997191 1997869 1997870 1997871 1997872 1997873 1997875 1997876 1997877 1998071 1998072 1998073 1998074 1998075 1998076 1998077 1998078 1998079 1998080 1998107 1998108 1998109 1998110 1998111 1999010 1999358 1999415 1999416 2000977 2000978 2000989 2000990 2000991 2000992 2000993 2000994 2057167
Blocks: 1995693
TreeView+ depends on / blocked
 
Reported: 2021-08-19 15:04 UTC by Marian Rehak
Modified: 2022-11-08 09:11 UTC (History)
122 users (show)

Fixed In Version: go 1.16.7, go 1.15.15
Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability.
Clone Of:
Environment:
Last Closed: 2021-10-28 09:07:51 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4156 0 None None None 2021-11-09 17:25:54 UTC
Red Hat Product Errata RHSA-2021:4765 0 None None None 2021-11-23 08:43:14 UTC
Red Hat Product Errata RHSA-2021:4766 0 None None None 2021-11-23 10:48:37 UTC
Red Hat Product Errata RHSA-2022:0318 0 None None None 2022-01-27 16:56:53 UTC
Red Hat Product Errata RHSA-2022:0557 0 None None None 2022-02-23 12:51:29 UTC
Red Hat Product Errata RHSA-2022:0561 0 None None None 2022-02-23 13:56:15 UTC
Red Hat Product Errata RHSA-2022:0577 0 None None None 2022-03-28 09:36:30 UTC
Red Hat Product Errata RHSA-2022:0855 0 None None None 2022-03-14 10:24:27 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:50:16 UTC
Red Hat Product Errata RHSA-2022:1276 0 None None None 2022-04-07 17:58:55 UTC
Red Hat Product Errata RHSA-2022:1361 0 None None None 2022-04-13 15:30:54 UTC
Red Hat Product Errata RHSA-2022:1372 0 None None None 2022-04-13 18:49:18 UTC
Red Hat Product Errata RHSA-2022:1396 0 None None None 2022-04-19 10:21:50 UTC
Red Hat Product Errata RHSA-2022:4668 0 None None None 2022-05-18 20:26:49 UTC
Red Hat Product Errata RHSA-2022:7457 0 None None None 2022-11-08 09:11:30 UTC

Description Marian Rehak 2021-08-19 15:04:23 UTC
A race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

Reference:

https://github.com/golang/go/issues/46866

Comment 11 Summer Long 2021-08-26 00:28:25 UTC
Created golang tracking bugs for this issue:

Affects: openstack-rdo [bug 1997874]

Comment 20 Marian Rehak 2021-08-31 07:12:28 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1999416]
Affects: fedora-all [bug 1999415]

Comment 29 Fedora Update System 2021-09-15 18:19:51 UTC
FEDORA-2021-38b51d9fd3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 34 errata-xmlrpc 2021-11-09 17:25:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156

Comment 35 errata-xmlrpc 2021-11-23 08:43:08 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:4765 https://access.redhat.com/errata/RHSA-2021:4765

Comment 36 errata-xmlrpc 2021-11-23 10:48:32 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.19

Via RHSA-2021:4766 https://access.redhat.com/errata/RHSA-2021:4766

Comment 37 errata-xmlrpc 2022-01-27 16:56:48 UTC
This issue has been addressed in the following products:

  Red Hat Openshit distributed tracing 2.1

Via RHSA-2022:0318 https://access.redhat.com/errata/RHSA-2022:0318

Comment 39 errata-xmlrpc 2022-02-23 12:51:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0557 https://access.redhat.com/errata/RHSA-2022:0557

Comment 40 errata-xmlrpc 2022-02-23 13:56:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0561 https://access.redhat.com/errata/RHSA-2022:0561

Comment 41 errata-xmlrpc 2022-03-14 10:24:20 UTC
This issue has been addressed in the following products:

  OSE-OSC-1.2.0-RHEL-8

Via RHSA-2022:0855 https://access.redhat.com/errata/RHSA-2022:0855

Comment 42 errata-xmlrpc 2022-03-16 15:50:09 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947

Comment 43 errata-xmlrpc 2022-03-28 09:36:24 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577

Comment 44 errata-xmlrpc 2022-04-07 17:58:49 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276

Comment 45 errata-xmlrpc 2022-04-13 15:30:47 UTC
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361

Comment 46 errata-xmlrpc 2022-04-13 18:49:11 UTC
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372

Comment 47 errata-xmlrpc 2022-04-19 10:21:44 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2022:1396 https://access.redhat.com/errata/RHSA-2022:1396

Comment 49 errata-xmlrpc 2022-05-18 20:26:43 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:4668 https://access.redhat.com/errata/RHSA-2022:4668

Comment 50 errata-xmlrpc 2022-11-08 09:11:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457


Note You need to log in before you can comment on or make changes to this bug.