Bug 1989575 (CVE-2021-33198) - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
Summary: CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33198
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1989578 1986037 1986041 1986042 1986043 1986044 1986045 1986046 1986047 1986048 1986050 1986056 1986057 1986069 1986070 1986071 1986072 1986073 1986079 1986082 1986084 1986571 1986975 1986976 1989576 1989577 1990214 1990215 1990216 1990217 1990218 1990219 1990220 1990221 1992001 1992002 1992003 1992118 1992119 1992120 1992121 1992122 1992123 1992124 1992126 1992127 1992128 1992129 1992130 1992131 1992132 1992133 1992134 1992500 1992501 1992516 1992517 1992518 1992519 1992520 1992521 1992522 1992523 1992524 1992525 1992526 1992527 1992528 1992529 1992530 1993403 1993404 1993405 1993406 1993407 1993408 1993409 1999377 2057529
Blocks: 1989579
TreeView+ depends on / blocked
 
Reported: 2021-08-03 13:35 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-10-17 11:27 UTC (History)
136 users (show)

Fixed In Version: go 1.16.5, go 1.15.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-08-10 13:29:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2983 0 None None None 2021-08-10 11:27:21 UTC
Red Hat Product Errata RHSA-2021:2984 0 None None None 2021-08-10 07:50:34 UTC
Red Hat Product Errata RHSA-2021:3009 0 None None None 2021-08-12 00:38:55 UTC
Red Hat Product Errata RHSA-2021:3146 0 None None None 2021-08-12 01:35:17 UTC
Red Hat Product Errata RHSA-2021:3229 0 None None None 2021-08-19 12:34:14 UTC
Red Hat Product Errata RHSA-2021:3248 0 None None None 2021-08-31 14:59:50 UTC
Red Hat Product Errata RHSA-2021:3361 0 None None None 2021-08-31 08:10:15 UTC
Red Hat Product Errata RHSA-2021:3487 0 None None None 2021-09-15 06:39:07 UTC
Red Hat Product Errata RHSA-2021:3555 0 None None None 2021-09-16 15:22:03 UTC
Red Hat Product Errata RHSA-2021:3556 0 None None None 2021-09-16 18:40:02 UTC
Red Hat Product Errata RHSA-2021:3598 0 None None None 2021-09-21 11:06:37 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:28:56 UTC
Red Hat Product Errata RHSA-2021:3820 0 None None None 2021-10-19 20:21:09 UTC
Red Hat Product Errata RHSA-2021:4104 0 None None None 2021-11-02 15:57:25 UTC
Red Hat Product Errata RHSA-2021:4156 0 None None None 2021-11-09 17:25:48 UTC
Red Hat Product Errata RHSA-2021:5072 0 None None None 2021-12-09 20:17:18 UTC
Red Hat Product Errata RHSA-2021:5085 0 None None None 2021-12-13 15:26:52 UTC
Red Hat Product Errata RHSA-2021:5086 0 None None None 2021-12-13 17:44:13 UTC
Red Hat Product Errata RHSA-2022:0191 0 None None None 2022-01-19 17:49:55 UTC
Red Hat Product Errata RHSA-2022:0577 0 None None None 2022-03-28 09:36:17 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:48:46 UTC
Red Hat Product Errata RHSA-2022:1329 0 None None None 2022-04-12 15:08:15 UTC
Red Hat Product Errata RHSA-2022:1402 0 None None None 2022-04-19 13:33:30 UTC
Red Hat Product Errata RHSA-2022:7955 0 None None None 2022-11-15 09:48:10 UTC
Red Hat Product Errata RHSA-2022:8008 0 None None None 2022-11-15 09:57:22 UTC

Description Guilherme de Almeida Suckevicz 2021-08-03 13:35:31 UTC 
Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 2 of 2).

References:
https://github.com/golang/go/issues/44910
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
Comment 1 Guilherme de Almeida Suckevicz 2021-08-03 13:36:31 UTC 
Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 1989578]


Created golang tracking bugs for this issue:

Affects: epel-all [bug 1989576]
Affects: fedora-all [bug 1989577]
Comment 6 errata-xmlrpc 2021-08-10 07:50:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984
Comment 7 errata-xmlrpc 2021-08-10 11:27:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983
Comment 8 Product Security DevOps Team 2021-08-10 13:29:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33198
Comment 12 errata-xmlrpc 2021-08-12 00:38:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:3009 https://access.redhat.com/errata/RHSA-2021:3009
Comment 13 errata-xmlrpc 2021-08-12 01:35:12 UTC 
This issue has been addressed in the following products:

  RHACS-3.64-RHEL-8

Via RHSA-2021:3146 https://access.redhat.com/errata/RHSA-2021:3146
Comment 15 errata-xmlrpc 2021-08-19 12:34:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:3229 https://access.redhat.com/errata/RHSA-2021:3229
Comment 16 ximhan 2021-08-20 07:44:34 UTC 
OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1995785
All the fixes part will be now included in 4.8.7 on 8/30.
Comment 21 errata-xmlrpc 2021-08-31 08:10:09 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2021:3361 https://access.redhat.com/errata/RHSA-2021:3361
Comment 22 errata-xmlrpc 2021-08-31 14:59:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3248 https://access.redhat.com/errata/RHSA-2021:3248
Comment 23 errata-xmlrpc 2021-09-15 06:39:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3487 https://access.redhat.com/errata/RHSA-2021:3487
Comment 24 errata-xmlrpc 2021-09-16 15:21:58 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:3555 https://access.redhat.com/errata/RHSA-2021:3555
Comment 25 errata-xmlrpc 2021-09-16 18:39:52 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.17

Via RHSA-2021:3556 https://access.redhat.com/errata/RHSA-2021:3556
Comment 26 errata-xmlrpc 2021-09-21 11:06:29 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:3598 https://access.redhat.com/errata/RHSA-2021:3598
Comment 29 errata-xmlrpc 2021-10-18 17:28:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759
Comment 30 errata-xmlrpc 2021-10-19 20:21:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3820 https://access.redhat.com/errata/RHSA-2021:3820
Comment 31 errata-xmlrpc 2021-11-02 15:57:18 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.9

Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104
Comment 32 errata-xmlrpc 2021-11-09 17:25:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156
Comment 34 errata-xmlrpc 2021-12-09 20:17:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5072 https://access.redhat.com/errata/RHSA-2021:5072
Comment 35 errata-xmlrpc 2021-12-13 15:26:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8

Via RHSA-2021:5085 https://access.redhat.com/errata/RHSA-2021:5085
Comment 36 errata-xmlrpc 2021-12-13 17:44:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8

Via RHSA-2021:5086 https://access.redhat.com/errata/RHSA-2021:5086
Comment 37 errata-xmlrpc 2022-01-19 17:49:50 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.9

Via RHSA-2022:0191 https://access.redhat.com/errata/RHSA-2022:0191
Comment 38 errata-xmlrpc 2022-03-16 15:48:36 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947
Comment 39 errata-xmlrpc 2022-03-28 09:36:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
Comment 40 errata-xmlrpc 2022-04-12 15:08:08 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8
  RHEL-7-CNV-4.8

Via RHSA-2022:1329 https://access.redhat.com/errata/RHSA-2022:1329
Comment 41 errata-xmlrpc 2022-04-19 13:33:25 UTC 
This issue has been addressed in the following products:

  RHEL-7-CNV-2.6
  RHEL-8-CNV-2.6

Via RHSA-2022:1402 https://access.redhat.com/errata/RHSA-2022:1402
Comment 42 errata-xmlrpc 2022-11-15 09:48:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7955 https://access.redhat.com/errata/RHSA-2022:7955
Comment 43 errata-xmlrpc 2022-11-15 09:57:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8008 https://access.redhat.com/errata/RHSA-2022:8008
Note You need to log in before you can comment on or make changes to this bug.