Bug 1995656 (CVE-2021-36221) - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
Summary: CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistCo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-36221
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat1997190 1997874 Red Hat1993407 Red Hat1995964 Red Hat1995965 Red Hat1995966 Red Hat1995967 Red Hat1995968 Red Hat1995969 Red Hat1995970 Red Hat1995971 Red Hat1995972 Red Hat1995973 Red Hat1995974 Red Hat1995975 Red Hat1995976 Red Hat1995977 Red Hat1995978 Red Hat1995979 Red Hat1995980 Red Hat1995981 Red Hat1995982 Red Hat1995983 Red Hat1995984 Red Hat1995985 Red Hat1995986 Red Hat1995987 Red Hat1995988 Red Hat1995989 Red Hat1995990 Red Hat1995991 Red Hat1995992 Red Hat1995993 Red Hat1995994 Red Hat1995995 Red Hat1995996 Red Hat1995997 Red Hat1995998 Red Hat1995999 Red Hat1996000 Red Hat1996001 Red Hat1996002 Red Hat1996003 Red Hat1996004 Red Hat1996005 Red Hat1996006 Red Hat1996007 Red Hat1996008 Red Hat1996009 Red Hat1996010 Red Hat1996761 Red Hat1996763 Red Hat1996769 Red Hat1996770 Red Hat1996771 Red Hat1996772 Red Hat1996810 Red Hat1997188 Red Hat1997191 Red Hat1997869 Red Hat1997870 Red Hat1997871 Red Hat1997872 Red Hat1997873 Red Hat1997875 Red Hat1997876 Red Hat1997877 Red Hat1998071 Red Hat1998072 Red Hat1998073 Red Hat1998074 Red Hat1998075 Red Hat1998076 Red Hat1998077 Red Hat1998078 Red Hat1998079 Red Hat1998080 Red Hat1998107 Red Hat1998108 Red Hat1998109 Red Hat1998110 Red Hat1998111 Red Hat1999010 Red Hat1999358 1999415 1999416 Red Hat2000977 Red Hat2000978 Red Hat2000989 Red Hat2000990 Red Hat2000991 Red Hat2000992 Red Hat2000993 Red Hat2000994 Red Hat2057167
Blocks: Embargoed1995693
TreeView+ depends on / blocked
 
Reported: 2021-08-19 15:04 UTC by Marian Rehak
Modified: 2023-02-07 17:07 UTC (History)
121 users (show)

Fixed In Version: go 1.16.7, go 1.15.15
Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability.
Clone Of:
Environment:
Last Closed: 2021-10-28 09:07:51 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4156 0 None None None 2021-11-09 17:25:54 UTC
Red Hat Product Errata RHSA-2021:4765 0 None None None 2021-11-23 08:43:14 UTC
Red Hat Product Errata RHSA-2021:4766 0 None None None 2021-11-23 10:48:37 UTC
Red Hat Product Errata RHSA-2022:0318 0 None None None 2022-01-27 16:56:53 UTC
Red Hat Product Errata RHSA-2022:0557 0 None None None 2022-02-23 12:51:29 UTC
Red Hat Product Errata RHSA-2022:0561 0 None None None 2022-02-23 13:56:15 UTC
Red Hat Product Errata RHSA-2022:0577 0 None None None 2022-03-28 09:36:30 UTC
Red Hat Product Errata RHSA-2022:0855 0 None None None 2022-03-14 10:24:27 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:50:16 UTC
Red Hat Product Errata RHSA-2022:1276 0 None None None 2022-04-07 17:58:55 UTC
Red Hat Product Errata RHSA-2022:1361 0 None None None 2022-04-13 15:30:54 UTC
Red Hat Product Errata RHSA-2022:1372 0 None None None 2022-04-13 18:49:18 UTC
Red Hat Product Errata RHSA-2022:1396 0 None None None 2022-04-19 10:21:50 UTC
Red Hat Product Errata RHSA-2022:4668 0 None None None 2022-05-18 20:26:49 UTC
Red Hat Product Errata RHSA-2022:7457 0 None None None 2022-11-08 09:11:30 UTC

Description Marian Rehak 2021-08-19 15:04:23 UTC 
A race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

Reference:

https://github.com/golang/go/issues/46866
Comment 3 Przemyslaw Roguski 2021-08-20 10:37:52 UTC 
Upstream Go PRs:
https://github.com/golang/go/commit/accf363d5da864521c90b152fb734f3f15e00521 for Go 1.16
https://github.com/golang/go/commit/ba93baa74a52d57ae79313313ea990cc791ef50e for Go 1.15
Comment 11 Summer Long 2021-08-26 00:28:25 UTC 
Created golang tracking bugs for this issue:

Affects: openstack-rdo [bug 1997874]
Comment 20 Marian Rehak 2021-08-31 07:12:28 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1999416]
Affects: fedora-all [bug 1999415]
Comment 29 Fedora Update System 2021-09-15 18:19:51 UTC 
FEDORA-2021-38b51d9fd3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 34 errata-xmlrpc 2021-11-09 17:25:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4156 https://access.redhat.com/errata/RHSA-2021:4156
Comment 35 errata-xmlrpc 2021-11-23 08:43:08 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:4765 https://access.redhat.com/errata/RHSA-2021:4765
Comment 36 errata-xmlrpc 2021-11-23 10:48:32 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.19

Via RHSA-2021:4766 https://access.redhat.com/errata/RHSA-2021:4766
Comment 37 errata-xmlrpc 2022-01-27 16:56:48 UTC 
This issue has been addressed in the following products:

  Red Hat Openshit distributed tracing 2.1

Via RHSA-2022:0318 https://access.redhat.com/errata/RHSA-2022:0318
Comment 39 errata-xmlrpc 2022-02-23 12:51:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0557 https://access.redhat.com/errata/RHSA-2022:0557
Comment 40 errata-xmlrpc 2022-02-23 13:56:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0561 https://access.redhat.com/errata/RHSA-2022:0561
Comment 41 errata-xmlrpc 2022-03-14 10:24:20 UTC 
This issue has been addressed in the following products:

  OSE-OSC-1.2.0-RHEL-8

Via RHSA-2022:0855 https://access.redhat.com/errata/RHSA-2022:0855
Comment 42 errata-xmlrpc 2022-03-16 15:50:09 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947
Comment 43 errata-xmlrpc 2022-03-28 09:36:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
Comment 44 errata-xmlrpc 2022-04-07 17:58:49 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
Comment 45 errata-xmlrpc 2022-04-13 15:30:47 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361
Comment 46 errata-xmlrpc 2022-04-13 18:49:11 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372
Comment 47 errata-xmlrpc 2022-04-19 10:21:44 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2022:1396 https://access.redhat.com/errata/RHSA-2022:1396
Comment 49 errata-xmlrpc 2022-05-18 20:26:43 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:4668 https://access.redhat.com/errata/RHSA-2022:4668
Comment 50 errata-xmlrpc 2022-11-08 09:11:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457
Note You need to log in before you can comment on or make changes to this bug.