Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-29923 (GCVE-0-2021-29923)
Vulnerability from cvelistv5 – Published: 2021-08-07 16:38 – Updated: 2024-08-03 22:18
VLAI
EPSS
Summary
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://golang.org/pkg/net/#ParseCIDR | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
| https://defcon.org/html/defcon-29/dc-29-speakers.… | x_refsource_MISC |
| https://github.com/golang/go/issues/43389 | x_refsource_MISC |
| https://github.com/golang/go/issues/30999 | x_refsource_MISC |
| https://go-review.googlesource.com/c/go/+/325829/ | x_refsource_MISC |
| https://github.com/sickcodes/security/blob/master… | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.gentoo.org/glsa/202208-02 | vendor-advisoryx_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:18:03.455Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://golang.org/pkg/net/#ParseCIDR"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/golang/go/issues/43389"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/golang/go/issues/30999"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://go-review.googlesource.com/c/go/+/325829/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md"
},
{
"name": "FEDORA-2022-17d004ed71",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T15:09:33.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://golang.org/pkg/net/#ParseCIDR"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/golang/go/issues/43389"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/golang/go/issues/30999"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://go-review.googlesource.com/c/go/+/325829/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md"
},
{
"name": "FEDORA-2022-17d004ed71",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29923",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://golang.org/pkg/net/#ParseCIDR",
"refsource": "MISC",
"url": "https://golang.org/pkg/net/#ParseCIDR"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis",
"refsource": "MISC",
"url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"
},
{
"name": "https://github.com/golang/go/issues/43389",
"refsource": "MISC",
"url": "https://github.com/golang/go/issues/43389"
},
{
"name": "https://github.com/golang/go/issues/30999",
"refsource": "MISC",
"url": "https://github.com/golang/go/issues/30999"
},
{
"name": "https://go-review.googlesource.com/c/go/+/325829/",
"refsource": "MISC",
"url": "https://go-review.googlesource.com/c/go/+/325829/"
},
{
"name": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md",
"refsource": "MISC",
"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md"
},
{
"name": "FEDORA-2022-17d004ed71",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/"
},
{
"name": "GLSA-202208-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29923",
"datePublished": "2021-08-07T16:38:59.000Z",
"dateReserved": "2021-04-01T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:18:03.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-29923",
"date": "2026-05-30",
"epss": "0.00254",
"percentile": "0.48858"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-29923\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-08-07T17:15:07.067\",\"lastModified\":\"2024-11-21T06:01:59.570\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.\"},{\"lang\":\"es\",\"value\":\"Go versiones anteriores a 1.17, no considera apropiadamente los caracteres cero extra\u00f1os al principio de un octeto de direcci\u00f3n IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso que es basado en las direcciones IP, debido a una interpretaci\u00f3n octal inesperada. Esto afecta a net.ParseIP y net.ParseCIDR\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.17\",\"matchCriteriaId\":\"D39D5C21-8281-429F-AC33-CE39821CA3EC\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"21.1.1.1.0\",\"matchCriteriaId\":\"20290BBC-E3C9-4B96-94FE-2DFADD4BF1F1\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]}],\"references\":[{\"url\":\"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/golang/go/issues/30999\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/golang/go/issues/43389\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://go-review.googlesource.com/c/go/+/325829/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://golang.org/pkg/net/#ParseCIDR\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.gentoo.org/glsa/202208-02\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/golang/go/issues/30999\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/golang/go/issues/43389\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://go-review.googlesource.com/c/go/+/325829/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://golang.org/pkg/net/#ParseCIDR\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202208-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
MSRC_CVE-2021-29923
Vulnerability from csaf_microsoft - Published: 2021-08-02 00:00 - Updated: 2026-02-18 14:02Summary
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP addresses because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 19007-16820 | — | ||
| Unresolved product id: 17021-17084 | — | ||
| Unresolved product id: 19696-17084 | — |
Known affected
3 products
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-1 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2021/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2021/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2021-29923 Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP addresses because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2021/msrc_cve-2021-29923.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP addresses because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
"tracking": {
"current_release_date": "2026-02-18T14:02:27.000Z",
"generator": {
"date": "2026-02-21T02:07:26.058Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2021-29923",
"initial_release_date": "2021-08-02T00:00:00.000Z",
"revision_history": [
{
"date": "2021-08-18T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2024-08-29T00:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
},
{
"date": "2024-08-30T00:00:00.000Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Information published."
},
{
"date": "2024-08-31T00:00:00.000Z",
"legacy_version": "1.3",
"number": "4",
"summary": "Information published."
},
{
"date": "2024-09-01T00:00:00.000Z",
"legacy_version": "1.4",
"number": "5",
"summary": "Information published."
},
{
"date": "2024-09-02T00:00:00.000Z",
"legacy_version": "1.5",
"number": "6",
"summary": "Information published."
},
{
"date": "2024-09-03T00:00:00.000Z",
"legacy_version": "1.6",
"number": "7",
"summary": "Information published."
},
{
"date": "2024-09-05T00:00:00.000Z",
"legacy_version": "1.7",
"number": "8",
"summary": "Information published."
},
{
"date": "2024-09-06T00:00:00.000Z",
"legacy_version": "1.8",
"number": "9",
"summary": "Information published."
},
{
"date": "2024-09-07T00:00:00.000Z",
"legacy_version": "1.9",
"number": "10",
"summary": "Information published."
},
{
"date": "2024-09-08T00:00:00.000Z",
"legacy_version": "2",
"number": "11",
"summary": "Information published."
},
{
"date": "2024-09-11T00:00:00.000Z",
"legacy_version": "2.1",
"number": "12",
"summary": "Information published."
},
{
"date": "2026-02-18T14:02:27.000Z",
"legacy_version": "2.2",
"number": "13",
"summary": "Information published."
}
],
"status": "final",
"version": "13"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0",
"product_id": "16820"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 golang 1.16.7-1",
"product": {
"name": "\u003ccm1 golang 1.16.7-1",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "cm1 golang 1.16.7-1",
"product": {
"name": "cm1 golang 1.16.7-1",
"product_id": "19007"
}
}
],
"category": "product_name",
"name": "golang"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 python-tensorboard 2.16.2-2",
"product": {
"name": "\u003cazl3 python-tensorboard 2.16.2-2",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "azl3 python-tensorboard 2.16.2-2",
"product": {
"name": "azl3 python-tensorboard 2.16.2-2",
"product_id": "17021"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 python-tensorboard 2.11.0-3",
"product": {
"name": "\u003cazl3 python-tensorboard 2.11.0-3",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "azl3 python-tensorboard 2.11.0-3",
"product": {
"name": "azl3 python-tensorboard 2.11.0-3",
"product_id": "19696"
}
}
],
"category": "product_name",
"name": "python-tensorboard"
},
{
"category": "product_name",
"name": "azl3 golang 1.24.3-1",
"product": {
"name": "azl3 golang 1.24.3-1",
"product_id": "1"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 golang 1.16.7-1 as a component of CBL Mariner 1.0",
"product_id": "16820-3"
},
"product_reference": "3",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 golang 1.16.7-1 as a component of CBL Mariner 1.0",
"product_id": "19007-16820"
},
"product_reference": "19007",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 python-tensorboard 2.16.2-2 as a component of Azure Linux 3.0",
"product_id": "17084-4"
},
"product_reference": "4",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python-tensorboard 2.16.2-2 as a component of Azure Linux 3.0",
"product_id": "17021-17084"
},
"product_reference": "17021",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 golang 1.24.3-1 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 python-tensorboard 2.11.0-3 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python-tensorboard 2.11.0-3 as a component of Azure Linux 3.0",
"product_id": "19696-17084"
},
"product_reference": "19696",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17084-1"
]
}
],
"notes": [
{
"category": "general",
"text": "mitre",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"19007-16820",
"17021-17084",
"19696-17084"
],
"known_affected": [
"16820-3",
"17084-4",
"17084-2"
],
"known_not_affected": [
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2021-29923 Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP addresses because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2021/msrc_cve-2021-29923.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-18T00:00:00.000Z",
"details": "1.16.7-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"16820-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2021-08-18T00:00:00.000Z",
"details": "2.16.2-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-4",
"17084-2"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"16820-3",
"17084-4",
"17084-2"
]
}
],
"title": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP addresses because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR."
}
]
}
RHSA-2021:3431
Vulnerability from csaf_redhat - Published: 2021-09-07 08:38 - Updated: 2026-04-29 18:00Summary
Red Hat Security Advisory: go-toolset-1.15-golang security update
Severity
Moderate
Notes
Topic: An update for go-toolset-1.15-golang is now available for Red Hat Developer Tools.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* golang: net: lookup functions may return invalid host names (CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
36 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity.
7.5 (High)
Affected products
Fixed
36 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.
5.3 (Medium)
Affected products
Fixed
36 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
20 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for go-toolset-1.15-golang is now available for Red Hat Developer Tools.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.\n\nSecurity Fix(es):\n\n* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\n* golang: net: lookup functions may return invalid host names (CVE-2021-33195)\n\n* golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3431",
"url": "https://access.redhat.com/errata/RHSA-2021:3431"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1989564",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989564"
},
{
"category": "external",
"summary": "1989570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989570"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3431.json"
}
],
"title": "Red Hat Security Advisory: go-toolset-1.15-golang security update",
"tracking": {
"current_release_date": "2026-04-29T18:00:24+00:00",
"generator": {
"date": "2026-04-29T18:00:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2021:3431",
"initial_release_date": "2021-09-07T08:38:58+00:00",
"revision_history": [
{
"date": "2021-09-07T08:38:58+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-09-07T08:38:58+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:00:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:devtools:2021"
}
}
},
{
"category": "product_name",
"name": "Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:devtools:2021"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Tools"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"product": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"product_id": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang@1.15.14-2.el7_9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"product": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"product_id": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang@1.15.14-2.el7_9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"product": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"product_id": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-bin@1.15.14-2.el7_9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"product": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"product_id": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-misc@1.15.14-2.el7_9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"product": {
"name": "go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"product_id": "go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-race@1.15.14-2.el7_9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"product": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"product_id": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-src@1.15.14-2.el7_9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"product": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"product_id": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-tests@1.15.14-2.el7_9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"product": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"product_id": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang@1.15.14-2.el7_9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"product": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"product_id": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-bin@1.15.14-2.el7_9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"product": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"product_id": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-misc@1.15.14-2.el7_9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"product": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"product_id": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-src@1.15.14-2.el7_9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"product": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"product_id": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-tests@1.15.14-2.el7_9?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"product": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"product_id": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang@1.15.14-2.el7_9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"product": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"product_id": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-bin@1.15.14-2.el7_9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"product": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"product_id": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-misc@1.15.14-2.el7_9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"product": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"product_id": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-src@1.15.14-2.el7_9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"product": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"product_id": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-tests@1.15.14-2.el7_9?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"product": {
"name": "go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"product_id": "go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset-1.15-golang-docs@1.15.14-2.el7_9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.src as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src"
},
"product_reference": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch"
},
"product_reference": "go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Server-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.src as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src"
},
"product_reference": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch"
},
"product_reference": "go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le"
},
"product_reference": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x"
},
"product_reference": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64 as a component of Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
},
"product_reference": "go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"relates_to_product_reference": "7Workstation-DevTools-2021.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-07T08:38:58+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
},
{
"cve": "CVE-2021-33195",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1989564"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: lookup functions may return invalid host names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* For Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the golang-qpid-apache package.\n\n* In Service Telemetry Framework, because the flaw has a lower impact and the package is not directly used by STF, no updates will be provided at this time for the STF containers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-33195"
},
{
"category": "external",
"summary": "RHBZ#1989564",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989564"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-33195",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33195"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI",
"url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"
}
],
"release_date": "2021-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-07T08:38:58+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: lookup functions may return invalid host names"
},
{
"cve": "CVE-2021-33197",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1989570"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* For Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the golang-qpid-apache package.\n\n* In Service Telemetry Framework, because the flaw has a lower impact and the package is not directly used by STF, no updates will be provided at this time for the STF containers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-33197"
},
{
"category": "external",
"summary": "RHBZ#1989570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-33197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33197"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-33197",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33197"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI",
"url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"
}
],
"release_date": "2021-05-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-07T08:38:58+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Server-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.src",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-bin-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-docs-0:1.15.14-2.el7_9.noarch",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-misc-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-race-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-src-0:1.15.14-2.el7_9.x86_64",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.ppc64le",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.s390x",
"7Workstation-DevTools-2021.2:go-toolset-1.15-golang-tests-0:1.15.14-2.el7_9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty"
}
]
}
RHSA-2021:3585
Vulnerability from csaf_redhat - Published: 2021-09-21 10:07 - Updated: 2026-04-29 18:00Summary
Red Hat Security Advisory: go-toolset:rhel8 security update
Severity
Moderate
Notes
Topic: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
10 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3585",
"url": "https://access.redhat.com/errata/RHSA-2021:3585"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_developer_tools/1/html/using_go_1.15.7_toolset",
"url": "https://access.redhat.com/documentation/en-us/red_hat_developer_tools/1/html/using_go_1.15.7_toolset"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3585.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-04-29T18:00:24+00:00",
"generator": {
"date": "2026-04-29T18:00:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2021:3585",
"initial_release_date": "2021-09-21T10:07:10+00:00",
"revision_history": [
{
"date": "2021-09-21T10:07:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-09-21T10:07:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:00:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64 (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=src\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=src\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src (go-toolset:rhel8)",
"product_id": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=src\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=s390x\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=s390x\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=s390x\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.15.14-2.module%2Bel8.4.0%2B12542%2Be3fec473?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020210909125047:5081a262"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-21T10:07:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3585"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:go-toolset-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.aarch64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.ppc64le::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.s390x::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-bin-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-docs-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-misc-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-race-0:1.15.14-2.module+el8.4.0+12542+e3fec473.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-src-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.MAIN.EUS:golang-tests-0:1.15.14-2.module+el8.4.0+12542+e3fec473.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
}
]
}
RHSA-2021:4722
Vulnerability from csaf_redhat - Published: 2021-11-17 15:38 - Updated: 2026-04-29 18:00Summary
Red Hat Security Advisory: OpenShift Virtualization 2.6.8 RPMs security and bug fix update
Severity
Moderate
Notes
Topic: Red Hat OpenShift Virtualization release 2.6.8 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains OpenShift Virtualization 2.6.8 RPMs.
Security Fix(es):
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
6.5 (Medium)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Virtualization release 2.6.8 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift Virtualization is Red Hat\u0027s virtualization solution designed for Red Hat OpenShift Container Platform. \n\nThis advisory contains OpenShift Virtualization 2.6.8 RPMs.\n\nSecurity Fix(es):\n\n* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4722",
"url": "https://access.redhat.com/errata/RHSA-2021:4722"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "2012329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2012329"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4722.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Virtualization 2.6.8 RPMs security and bug fix update",
"tracking": {
"current_release_date": "2026-04-29T18:00:25+00:00",
"generator": {
"date": "2026-04-29T18:00:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2021:4722",
"initial_release_date": "2021-11-17T15:38:20+00:00",
"revision_history": [
{
"date": "2021-11-17T15:38:20+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-11-17T15:38:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:00:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CNV 2.6 for RHEL 8",
"product": {
"name": "CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8"
}
}
},
{
"category": "product_name",
"name": "CNV 2.6 for RHEL 7",
"product": {
"name": "CNV 2.6 for RHEL 7",
"product_id": "7Server-CNV-2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el7"
}
}
}
],
"category": "product_family",
"name": "OpenShift Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-0:2.6.8-211.el8.src",
"product": {
"name": "kubevirt-0:2.6.8-211.el8.src",
"product_id": "kubevirt-0:2.6.8-211.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt@2.6.8-211.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "kubevirt-0:2.6.8-211.el7.src",
"product": {
"name": "kubevirt-0:2.6.8-211.el7.src",
"product_id": "kubevirt-0:2.6.8-211.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt@2.6.8-211.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"product": {
"name": "kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"product_id": "kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl@2.6.8-211.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64",
"product": {
"name": "kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64",
"product_id": "kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl-redistributable@2.6.8-211.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"product": {
"name": "kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"product_id": "kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl@2.6.8-211.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"product": {
"name": "kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"product_id": "kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl-redistributable@2.6.8-211.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-0:2.6.8-211.el7.src as a component of CNV 2.6 for RHEL 7",
"product_id": "7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src"
},
"product_reference": "kubevirt-0:2.6.8-211.el7.src",
"relates_to_product_reference": "7Server-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-0:2.6.8-211.el7.x86_64 as a component of CNV 2.6 for RHEL 7",
"product_id": "7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64"
},
"product_reference": "kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"relates_to_product_reference": "7Server-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64 as a component of CNV 2.6 for RHEL 7",
"product_id": "7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64"
},
"product_reference": "kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"relates_to_product_reference": "7Server-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-0:2.6.8-211.el8.src as a component of CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src"
},
"product_reference": "kubevirt-0:2.6.8-211.el8.src",
"relates_to_product_reference": "8Base-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-0:2.6.8-211.el8.x86_64 as a component of CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64"
},
"product_reference": "kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"relates_to_product_reference": "8Base-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64 as a component of CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
},
"product_reference": "kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64",
"relates_to_product_reference": "8Base-CNV-2.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src",
"7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src",
"8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-17T15:38:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src",
"7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src",
"8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4722"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src",
"7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src",
"8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src",
"7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src",
"8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
},
{
"cve": "CVE-2021-34558",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1983596"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate\u0027s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0\u20131.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* This vulnerability potentially affects any component written in Go that uses crypto/tls from the standard library. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n - OpenShift Container Platform\n - OpenShift distributed tracing (formerly OpenShift Jaeger)\n - OpenShift Migration Toolkit for Containers\n - Red Hat Advanced Cluster Management for Kubernetes\n - Red Hat OpenShift on AWS\n - Red Hat OpenShift Virtualization\n\n* Because OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s containers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src",
"7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src",
"8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34558"
},
{
"category": "external",
"summary": "RHBZ#1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.15.minor",
"url": "https://golang.org/doc/devel/release#go1.15.minor"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.16.minor",
"url": "https://golang.org/doc/devel/release#go1.16.minor"
}
],
"release_date": "2021-07-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-17T15:38:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src",
"7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src",
"8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4722"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src",
"7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src",
"8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-CNV-2.6:kubevirt-0:2.6.8-211.el7.src",
"7Server-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el7.x86_64",
"7Server-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el7.x86_64",
"8Base-CNV-2.6:kubevirt-0:2.6.8-211.el8.src",
"8Base-CNV-2.6:kubevirt-virtctl-0:2.6.8-211.el8.x86_64",
"8Base-CNV-2.6:kubevirt-virtctl-redistributable-0:2.6.8-211.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic"
}
]
}
RHSA-2021:4725
Vulnerability from csaf_redhat - Published: 2021-11-17 18:39 - Updated: 2026-04-29 18:00Summary
Red Hat Security Advisory: OpenShift Virtualization 2.6.8 Images security and bug fix update
Severity
Moderate
Notes
Topic: Red Hat OpenShift Virtualization release 2.6.8 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization 2.6.8 images:
RHEL-8-CNV-2.6
==============
kubevirt-v2v-conversion-container-v2.6.8-1
hyperconverged-cluster-webhook-container-v2.6.8-1
vm-import-controller-container-v2.6.8-1
kubevirt-cpu-model-nfd-plugin-container-v2.6.8-2
vm-import-operator-container-v2.6.8-1
kubevirt-cpu-node-labeller-container-v2.6.8-1
kubevirt-ssp-operator-container-v2.6.8-1
kubemacpool-container-v2.6.8-1
cluster-network-addons-operator-container-v2.6.8-1
virt-cdi-cloner-container-v2.6.8-1
virt-cdi-uploadproxy-container-v2.6.8-1
kubernetes-nmstate-handler-container-v2.6.8-1
ovs-cni-plugin-container-v2.6.8-1
ovs-cni-marker-container-v2.6.8-1
hostpath-provisioner-operator-container-v2.6.8-1
kubevirt-vmware-container-v2.6.8-2
kubevirt-template-validator-container-v2.6.8-2
kubevirt-kvm-info-nfd-plugin-container-v2.6.8-1
node-maintenance-operator-container-v2.6.8-1
vm-import-virtv2v-container-v2.6.8-1
hostpath-provisioner-container-v2.6.8-1
virt-cdi-uploadserver-container-v2.6.8-1
cnv-containernetworking-plugins-container-v2.6.8-1
virtio-win-container-v2.6.8-2
virt-cdi-controller-container-v2.6.8-1
virt-cdi-importer-container-v2.6.8-1
virt-cdi-apiserver-container-v2.6.8-1
virt-cdi-operator-container-v2.6.8-1
bridge-marker-container-v2.6.8-1
hyperconverged-cluster-operator-container-v2.6.8-1
cnv-must-gather-container-v2.6.8-5
virt-launcher-container-v2.6.8-5
virt-operator-container-v2.6.8-5
virt-api-container-v2.6.8-5
virt-controller-container-v2.6.8-5
virt-handler-container-v2.6.8-5
hco-bundle-registry-container-v2.6.8-23
Security Fix(es):
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
6.5 (Medium)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Virtualization release 2.6.8 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift Virtualization is Red Hat\u0027s virtualization solution designed for Red Hat OpenShift Container Platform.\n\nThis advisory contains the following OpenShift Virtualization 2.6.8 images:\n\nRHEL-8-CNV-2.6\n==============\nkubevirt-v2v-conversion-container-v2.6.8-1\nhyperconverged-cluster-webhook-container-v2.6.8-1\nvm-import-controller-container-v2.6.8-1\nkubevirt-cpu-model-nfd-plugin-container-v2.6.8-2\nvm-import-operator-container-v2.6.8-1\nkubevirt-cpu-node-labeller-container-v2.6.8-1\nkubevirt-ssp-operator-container-v2.6.8-1\nkubemacpool-container-v2.6.8-1\ncluster-network-addons-operator-container-v2.6.8-1\nvirt-cdi-cloner-container-v2.6.8-1\nvirt-cdi-uploadproxy-container-v2.6.8-1\nkubernetes-nmstate-handler-container-v2.6.8-1\novs-cni-plugin-container-v2.6.8-1\novs-cni-marker-container-v2.6.8-1\nhostpath-provisioner-operator-container-v2.6.8-1\nkubevirt-vmware-container-v2.6.8-2\nkubevirt-template-validator-container-v2.6.8-2\nkubevirt-kvm-info-nfd-plugin-container-v2.6.8-1\nnode-maintenance-operator-container-v2.6.8-1\nvm-import-virtv2v-container-v2.6.8-1\nhostpath-provisioner-container-v2.6.8-1\nvirt-cdi-uploadserver-container-v2.6.8-1\ncnv-containernetworking-plugins-container-v2.6.8-1\nvirtio-win-container-v2.6.8-2\nvirt-cdi-controller-container-v2.6.8-1\nvirt-cdi-importer-container-v2.6.8-1\nvirt-cdi-apiserver-container-v2.6.8-1\nvirt-cdi-operator-container-v2.6.8-1\nbridge-marker-container-v2.6.8-1\nhyperconverged-cluster-operator-container-v2.6.8-1\ncnv-must-gather-container-v2.6.8-5\nvirt-launcher-container-v2.6.8-5\nvirt-operator-container-v2.6.8-5\nvirt-api-container-v2.6.8-5\nvirt-controller-container-v2.6.8-5\nvirt-handler-container-v2.6.8-5\nhco-bundle-registry-container-v2.6.8-23\n\nSecurity Fix(es):\n\n* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4725",
"url": "https://access.redhat.com/errata/RHSA-2021:4725"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "1998844",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1998844"
},
{
"category": "external",
"summary": "2008522",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008522"
},
{
"category": "external",
"summary": "2010334",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010334"
},
{
"category": "external",
"summary": "2012328",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2012328"
},
{
"category": "external",
"summary": "2013494",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013494"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4725.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Virtualization 2.6.8 Images security and bug fix update",
"tracking": {
"current_release_date": "2026-04-29T18:00:26+00:00",
"generator": {
"date": "2026-04-29T18:00:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2021:4725",
"initial_release_date": "2021-11-17T18:39:29+00:00",
"revision_history": [
{
"date": "2021-11-17T18:39:29+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-11-17T18:39:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:00:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CNV 2.6 for RHEL 8",
"product": {
"name": "CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"product": {
"name": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"product_id": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-cpu-model-nfd-plugin\u0026tag=v2.6.8-2"
}
}
},
{
"category": "product_version",
"name": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"product": {
"name": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"product_id": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-cpu-node-labeller\u0026tag=v2.6.8-1"
}
}
},
{
"category": "product_version",
"name": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"product": {
"name": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"product_id": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-kvm-info-nfd-plugin\u0026tag=v2.6.8-1"
}
}
},
{
"category": "product_version",
"name": "container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"product": {
"name": "container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"product_id": "container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"product_identification_helper": {
"purl": "pkg:oci/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/vm-import-controller\u0026tag=v2.6.8-1"
}
}
},
{
"category": "product_version",
"name": "container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"product": {
"name": "container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"product_id": "container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"product_identification_helper": {
"purl": "pkg:oci/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/vm-import-controller-rhel8\u0026tag=v2.6.8-1"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64 as a component of CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64"
},
"product_reference": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"relates_to_product_reference": "8Base-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64 as a component of CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64"
},
"product_reference": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"relates_to_product_reference": "8Base-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64 as a component of CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64"
},
"product_reference": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"relates_to_product_reference": "8Base-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64 as a component of CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
},
"product_reference": "container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"relates_to_product_reference": "8Base-CNV-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64 as a component of CNV 2.6 for RHEL 8",
"product_id": "8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
},
"product_reference": "container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"relates_to_product_reference": "8Base-CNV-2.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64"
],
"known_not_affected": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-17T18:39:29+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4725"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
},
{
"cve": "CVE-2021-34558",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1983596"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate\u0027s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0\u20131.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* This vulnerability potentially affects any component written in Go that uses crypto/tls from the standard library. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n - OpenShift Container Platform\n - OpenShift distributed tracing (formerly OpenShift Jaeger)\n - OpenShift Migration Toolkit for Containers\n - Red Hat Advanced Cluster Management for Kubernetes\n - Red Hat OpenShift on AWS\n - Red Hat OpenShift Virtualization\n\n* Because OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s containers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34558"
},
{
"category": "external",
"summary": "RHBZ#1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.15.minor",
"url": "https://golang.org/doc/devel/release#go1.15.minor"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.16.minor",
"url": "https://golang.org/doc/devel/release#go1.16.minor"
}
],
"release_date": "2021-07-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-17T18:39:29+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4725"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:1c1628b639e26d05faf413c775d22d4a0ddd51d033473f740b2741b3d81e1716_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:5888aa247f7e7a1e1e169fc224854527fa314e617d567c4fc6a36666ef783218_amd64",
"8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:c4bf7b19fa46e3ce2e43051a9b108662f0061325ab417aaca71b00c3821910eb_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64",
"8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:be60d10cd7bc87227136534878dc750f59da0a97eb2cc74f331e80e681feb098_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic"
}
]
}
RHSA-2021:4902
Vulnerability from csaf_redhat - Published: 2021-12-01 17:22 - Updated: 2026-05-14 22:31Summary
Red Hat Security Advisory: ACS 3.67 security and enhancement update
Severity
Moderate
Notes
Topic: Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The release of RHACS 3.67 provides the following new features, bug fixes, security patches and system changes:
OpenShift Dedicated support
RHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform.
1. Use OpenShift OAuth server as an identity provider
If you are using RHACS with OpenShift, you can now configure the built-in OpenShift OAuth server as an identity provider for RHACS.
2. Enhancements for CI outputs
Red Hat has improved the usability of RHACS CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds.
3. Runtime Class policy criteria
Users can now use RHACS to define the container runtime configuration that may be used to run a pod’s containers using the Runtime Class policy criteria.
Security Fix(es):
* civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API (CVE-2020-27304)
* nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)
* nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801)
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* helm: information disclosure vulnerability (CVE-2021-32690)
* golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fixes
The release of RHACS 3.67 includes the following bug fixes:
1. Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This has been fixed.
2. Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed.
System changes
The release of RHACS 3.67 includes the following system changes:
1. Scanner now identifies vulnerabilities in Ubuntu 21.10 images.
2. The Port exposure method policy criteria now include route as an exposure method.
3. The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation.
4. The OpenShift Compliance Operator integration now supports using TailoredProfiles.
5. The RHACS Jenkins plugin now provides additional security information.
6. When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values.
7. The default uid:gid pair for the Scanner image is now 65534:65534.
8. RHACS adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes.
9. If microdnf is part of an image or shows up in process execution, RHACS reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies.
10. In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode.
11. You can now format the output of the following roxctl CLI commands in table, csv, or JSON format: image scan, image check & deployment check
12. You can now use a regular expression for the deployment name while specifying policy exclusions
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A remote code execution vulnerability was found in CivetWeb (embeddable web server/library). Due to a directory traversal issue, an attacker is able to add or overwrite files that are subsequently executed which lead to impact to confidentiality, integrity, and availability of the application.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 | — |
Threats
Impact
Low
A Regular Expression Denial of Service (ReDoS) vulnerability was found in the nodejs axios. This flaw allows an attacker to provide crafted input to the trim function, which might cause high resources consumption and as a consequence lead to denial of service. The highest threat from this vulnerability is system availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 | — |
Threats
Impact
Moderate
Insufficient Regular Expression Complexity in prismjs leads to a Regular Expression Denial of Service (ReDoS) attack. An unauthenticated attacker can exploit this flaw to cause an application to consume an excess amount of CPU by providing a crafted HTML comment as input. This can result in a denial of service attack.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 | — |
Threats
Impact
Moderate
A flaw was found in nodejs-path-parse. All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 | — |
Threats
Impact
Low
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one. In order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 | — |
Threats
Impact
Moderate
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 | — |
Threats
Impact
Moderate
References
46 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat Advanced Cluster Security for\nKubernetes (RHACS).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The release of RHACS 3.67 provides the following new features, bug fixes, security patches and system changes:\n\nOpenShift Dedicated support\n\nRHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform.\n\n1. Use OpenShift OAuth server as an identity provider\nIf you are using RHACS with OpenShift, you can now configure the built-in OpenShift OAuth server as an identity provider for RHACS. \n\n2. Enhancements for CI outputs\nRed Hat has improved the usability of RHACS CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds.\n\n3. Runtime Class policy criteria\nUsers can now use RHACS to define the container runtime configuration that may be used to run a pod\u2019s containers using the Runtime Class policy criteria.\n\nSecurity Fix(es):\n\n* civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API (CVE-2020-27304)\n\n* nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)\n\n* nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801)\n\n* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\n* helm: information disclosure vulnerability (CVE-2021-32690)\n\n* golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)\n\n* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fixes\nThe release of RHACS 3.67 includes the following bug fixes:\n\n1. Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This has been fixed.\n\n2. Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed.\n\nSystem changes\nThe release of RHACS 3.67 includes the following system changes:\n\n1. Scanner now identifies vulnerabilities in Ubuntu 21.10 images.\n2. The Port exposure method policy criteria now include route as an exposure method.\n3. The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation.\n4. The OpenShift Compliance Operator integration now supports using TailoredProfiles.\n5. The RHACS Jenkins plugin now provides additional security information.\n6. When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values.\n7. The default uid:gid pair for the Scanner image is now 65534:65534.\n8. RHACS adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes.\n9. If microdnf is part of an image or shows up in process execution, RHACS reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies.\n10. In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode. \n11. You can now format the output of the following roxctl CLI commands in table, csv, or JSON format: image scan, image check \u0026 deployment check\n12. You can now use a regular expression for the deployment name while specifying policy exclusions",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4902",
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1956818",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956818"
},
{
"category": "external",
"summary": "1978144",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978144"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "1999784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999784"
},
{
"category": "external",
"summary": "2005445",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005445"
},
{
"category": "external",
"summary": "2006044",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006044"
},
{
"category": "external",
"summary": "2016640",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2016640"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4902.json"
}
],
"title": "Red Hat Security Advisory: ACS 3.67 security and enhancement update",
"tracking": {
"current_release_date": "2026-05-14T22:31:51+00:00",
"generator": {
"date": "2026-05-14T22:31:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2021:4902",
"initial_release_date": "2021-12-01T17:22:46+00:00",
"revision_history": [
{
"date": "2021-12-01T17:22:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-12-01T17:22:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:31:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHACS 3.67 for RHEL 8",
"product": {
"name": "RHACS 3.67 for RHEL 8",
"product_id": "8Base-RHACS-3.67",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:advanced_cluster_security:3.67::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Security for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.67.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64",
"product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.67.0-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 as a component of RHACS 3.67 for RHEL 8",
"product_id": "8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"relates_to_product_reference": "8Base-RHACS-3.67"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 as a component of RHACS 3.67 for RHEL 8",
"product_id": "8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64",
"relates_to_product_reference": "8Base-RHACS-3.67"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-27304",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-10-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2016640"
}
],
"notes": [
{
"category": "description",
"text": "A remote code execution vulnerability was found in CivetWeb (embeddable web server/library). Due to a directory traversal issue, an attacker is able to add or overwrite files that are subsequently executed which lead to impact to confidentiality, integrity, and availability of the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only impacts CivetWeb-based web applications that use the built-in file upload form handler (full working example in the \u201cembedded_c\u201d example in the CivetWeb sources).\n\nRed Hat Advanced Cluster Security includes code from CivetWeb in the Collector component, however it does not use the file upload form handler, hence is not impacted by this vulnerability. This vulnerability is rated Low for Red Hat Advanced Cluster Security.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-27304"
},
{
"category": "external",
"summary": "RHBZ#2016640",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2016640"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-27304",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27304"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-27304",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27304"
},
{
"category": "external",
"summary": "https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ",
"url": "https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ"
},
{
"category": "external",
"summary": "https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/",
"url": "https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/"
}
],
"release_date": "2021-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-01T17:22:46+00:00",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API"
},
{
"cve": "CVE-2021-3749",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999784"
}
],
"notes": [
{
"category": "description",
"text": "A Regular Expression Denial of Service (ReDoS) vulnerability was found in the nodejs axios. This flaw allows an attacker to provide crafted input to the trim function, which might cause high resources consumption and as a consequence lead to denial of service. The highest threat from this vulnerability is system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-axios: Regular expression denial of service in trim function",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift Container Platform (OCP) grafana-container does package a vulnerable version of nodejs axios. However, due to the instance being read only and behind OpenShift OAuth, the impact of this vulnerability is Low.\n\n* Red Hat Advanced Cluster Management for Kubernetes (RHACM) 2.1 and previous versions does contain a vulnerable version of nodejs axios, RHACM 2.2 on towards are not affected versions. For RHACM 2.1, due to the instance being read only and behind OAuth, the impact of this vulnerability is Low.\n\n* Because Service Telemetry Framework 1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF\u0027s service-telemetry-operator-container and smart-gateway-operator-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3749"
},
{
"category": "external",
"summary": "RHBZ#1999784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999784"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3749",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3749"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929",
"url": "https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929"
},
{
"category": "external",
"summary": "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31",
"url": "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-01T17:22:46+00:00",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-axios: Regular expression denial of service in trim function"
},
{
"cve": "CVE-2021-3801",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2005445"
}
],
"notes": [
{
"category": "description",
"text": "Insufficient Regular Expression Complexity in prismjs leads to a Regular Expression Denial of Service (ReDoS) attack. An unauthenticated attacker can exploit this flaw to cause an application to consume an excess amount of CPU by providing a crafted HTML comment as input. This can result in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-prismjs: ReDoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) grafana-container does package a vulnerable verison of prismjs. However due to the instance being read only and behind OpenShift OAuth, it has been given a Low impact. Additionally it has been marked as wont-fix at this time and may be fixed in a future release.\n\nJust as OCP, OpenShift ServiceMesh (OSSM) components are behind OpenShift OAuth what reducing impact to Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3801"
},
{
"category": "external",
"summary": "RHBZ#2005445",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005445"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3801",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3801"
}
],
"release_date": "2021-09-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-01T17:22:46+00:00",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-prismjs: ReDoS vulnerability"
},
{
"cve": "CVE-2021-23343",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-05-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1956818"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-path-parse. All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Had Quay , whilst a vulnerable version of `path-parse` is included in the quay-rhel8 container it is a development dependency only, hence the impact by this vulnerability is low.\n\nIn OpenShift Container Platform (OCP), the hadoop component which is a part of the OCP metering stack, ships the vulnerable version of \u0027path-parse\u0027.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected component is marked as wontfix.\nThis may be fixed in the future.\n\nIn Red Hat OpenShift Container Storage 4 the noobaa-core container includes the affected version of `path-parse`, however the vulnerable functionality is currently not used in any part of the product.\n\nIn Red Hat Virtualization cockpit-ovirt, ovirt-engine-ui-extensions and ovirt-web-ui use vulnerable version of `path-parse`, however for cockpit-ovirt it is a development time dependency only, and for ovirt-engine-ui-extensions and ovirt-web-ui the vulnerable functions are never used.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23343"
},
{
"category": "external",
"summary": "RHBZ#1956818",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956818"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23343",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23343"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067",
"url": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067"
}
],
"release_date": "2021-05-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-01T17:22:46+00:00",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe"
},
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-01T17:22:46+00:00",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
},
{
"cve": "CVE-2021-32690",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-06-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1978144"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one. In order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "helm: information disclosure vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Advanced Cluster Management for Kubernetes:\n\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are using helm chart provided by the installer, so components are not using untrusted charts except in the application-lifecycle area. For this reason we marked the impact as low. For RHACM, the credentials could be leaked only when a helm chart is stored in a domain other than the helm repository itself. In practice, this rarely happens as the chart is stored in the same helm repository. For example, this chart in the helm repo https://charts.helm.sh/stable/index.yaml references only charts stored in the same domain (charts.heml.sh). From version, 2.2 onwards, multicloud-operators-placementrule and multicloud-operators-deployable do not use helm at all.\n\nOpenShift Developer Tools and Services:\n\nThe OpenShift Helm team has analyzed this CVE and we have come to the conclusion that this only affects OpenShift Helm customers that use the CLI to install and update charts. It does not affect customers that use the OpenShift Console to install and update charts. To mitigate this issue, customers can refresh their Helm cli by following the Red Had official Helm install guide here: https://docs.openshift.com/container-platform/4.7/cli_reference/helm_cli/getting-started-with-helm-on-openshift-container-platform.html#installing-helm_getting-started-with-helm-on-openshift. The mirror (https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/) have already been updated with helm 3.6.2 which contains the fix for this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-32690"
},
{
"category": "external",
"summary": "RHBZ#1978144",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978144"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-32690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32690"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-32690",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32690"
},
{
"category": "external",
"summary": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf",
"url": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"
}
],
"release_date": "2021-06-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-01T17:22:46+00:00",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "helm: information disclosure vulnerability"
},
{
"cve": "CVE-2021-39293",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2006044"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* In OpenShift Container Platform, multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Platform.\n\n* This flaw is out of support scope for Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s smart-gateway-container and sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39293"
},
{
"category": "external",
"summary": "RHBZ#2006044",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006044"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39293",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39293"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39293",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/dx9d7IOseHw",
"url": "https://groups.google.com/g/golang-announce/c/dx9d7IOseHw"
}
],
"release_date": "2021-08-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-01T17:22:46+00:00",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)"
}
]
}
RHSA-2021:4910
Vulnerability from csaf_redhat - Published: 2021-12-02 14:27 - Updated: 2026-04-29 18:00Summary
Red Hat Security Advisory: OpenShift Virtualization 4.8.3 RPMs security and bug fix update
Severity
Moderate
Notes
Topic: Red Hat OpenShift Virtualization release 4.8.3 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains OpenShift Virtualization 4.8.3 RPMs.
Security Fix(es):
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-CNV-4.8:kubevirt-0:4.8.3-251.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-4.8:kubevirt-0:4.8.3-251.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
10 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Virtualization release 4.8.3 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift Virtualization is Red Hat\u0027s virtualization solution designed for Red Hat OpenShift Container Platform. \n\nThis advisory contains OpenShift Virtualization 4.8.3 RPMs.\n\nSecurity Fix(es):\n\n* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4910",
"url": "https://access.redhat.com/errata/RHSA-2021:4910"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "2007344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007344"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4910.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Virtualization 4.8.3 RPMs security and bug fix update",
"tracking": {
"current_release_date": "2026-04-29T18:00:26+00:00",
"generator": {
"date": "2026-04-29T18:00:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2021:4910",
"initial_release_date": "2021-12-02T14:27:54+00:00",
"revision_history": [
{
"date": "2021-12-02T14:27:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-12-02T14:27:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:00:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CNV 4.8 for RHEL 7",
"product": {
"name": "CNV 4.8 for RHEL 7",
"product_id": "7Server-CNV-4.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el7"
}
}
},
{
"category": "product_name",
"name": "CNV 4.8 for RHEL 8",
"product": {
"name": "CNV 4.8 for RHEL 8",
"product_id": "8Base-CNV-4.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-0:4.8.3-251.el7.src",
"product": {
"name": "kubevirt-0:4.8.3-251.el7.src",
"product_id": "kubevirt-0:4.8.3-251.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt@4.8.3-251.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "kubevirt-0:4.8.3-251.el8.src",
"product": {
"name": "kubevirt-0:4.8.3-251.el8.src",
"product_id": "kubevirt-0:4.8.3-251.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt@4.8.3-251.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-virtctl-0:4.8.3-251.el7.x86_64",
"product": {
"name": "kubevirt-virtctl-0:4.8.3-251.el7.x86_64",
"product_id": "kubevirt-virtctl-0:4.8.3-251.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl@4.8.3-251.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64",
"product": {
"name": "kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64",
"product_id": "kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl-redistributable@4.8.3-251.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-0:4.8.3-251.el8.x86_64",
"product": {
"name": "kubevirt-virtctl-0:4.8.3-251.el8.x86_64",
"product_id": "kubevirt-virtctl-0:4.8.3-251.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl@4.8.3-251.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64",
"product": {
"name": "kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64",
"product_id": "kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl-redistributable@4.8.3-251.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-0:4.8.3-251.el7.src as a component of CNV 4.8 for RHEL 7",
"product_id": "7Server-CNV-4.8:kubevirt-0:4.8.3-251.el7.src"
},
"product_reference": "kubevirt-0:4.8.3-251.el7.src",
"relates_to_product_reference": "7Server-CNV-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-0:4.8.3-251.el7.x86_64 as a component of CNV 4.8 for RHEL 7",
"product_id": "7Server-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el7.x86_64"
},
"product_reference": "kubevirt-virtctl-0:4.8.3-251.el7.x86_64",
"relates_to_product_reference": "7Server-CNV-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64 as a component of CNV 4.8 for RHEL 7",
"product_id": "7Server-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64"
},
"product_reference": "kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64",
"relates_to_product_reference": "7Server-CNV-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-0:4.8.3-251.el8.src as a component of CNV 4.8 for RHEL 8",
"product_id": "8Base-CNV-4.8:kubevirt-0:4.8.3-251.el8.src"
},
"product_reference": "kubevirt-0:4.8.3-251.el8.src",
"relates_to_product_reference": "8Base-CNV-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-0:4.8.3-251.el8.x86_64 as a component of CNV 4.8 for RHEL 8",
"product_id": "8Base-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el8.x86_64"
},
"product_reference": "kubevirt-virtctl-0:4.8.3-251.el8.x86_64",
"relates_to_product_reference": "8Base-CNV-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64 as a component of CNV 4.8 for RHEL 8",
"product_id": "8Base-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64"
},
"product_reference": "kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64",
"relates_to_product_reference": "8Base-CNV-4.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-CNV-4.8:kubevirt-0:4.8.3-251.el7.src",
"7Server-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el7.x86_64",
"7Server-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64",
"8Base-CNV-4.8:kubevirt-0:4.8.3-251.el8.src",
"8Base-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el8.x86_64",
"8Base-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-02T14:27:54+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-CNV-4.8:kubevirt-0:4.8.3-251.el7.src",
"7Server-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el7.x86_64",
"7Server-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64",
"8Base-CNV-4.8:kubevirt-0:4.8.3-251.el8.src",
"8Base-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el8.x86_64",
"8Base-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4910"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-CNV-4.8:kubevirt-0:4.8.3-251.el7.src",
"7Server-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el7.x86_64",
"7Server-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64",
"8Base-CNV-4.8:kubevirt-0:4.8.3-251.el8.src",
"8Base-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el8.x86_64",
"8Base-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-CNV-4.8:kubevirt-0:4.8.3-251.el7.src",
"7Server-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el7.x86_64",
"7Server-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el7.x86_64",
"8Base-CNV-4.8:kubevirt-0:4.8.3-251.el8.src",
"8Base-CNV-4.8:kubevirt-virtctl-0:4.8.3-251.el8.x86_64",
"8Base-CNV-4.8:kubevirt-virtctl-redistributable-0:4.8.3-251.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
}
]
}
RHSA-2021:4914
Vulnerability from csaf_redhat - Published: 2021-12-02 16:59 - Updated: 2026-04-29 18:00Summary
Red Hat Security Advisory: OpenShift Virtualization 4.8.3 Images security and bug fix update
Severity
Moderate
Notes
Topic: Red Hat OpenShift Virtualization release 4.8.3 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization 4.8.3 images:
RHEL-8-CNV-4.8
==============
hostpath-provisioner-container-v4.8.3-4
kubevirt-v2v-conversion-container-v4.8.3-3
virt-cdi-cloner-container-v4.8.3-4
virt-cdi-operator-container-v4.8.3-4
virt-cdi-uploadproxy-container-v4.8.3-4
virt-launcher-container-v4.8.3-9
vm-import-operator-container-v4.8.3-7
virt-cdi-apiserver-container-v4.8.3-4
kubevirt-vmware-container-v4.8.3-3
virt-api-container-v4.8.3-9
vm-import-virtv2v-container-v4.8.3-7
virtio-win-container-v4.8.3-3
node-maintenance-operator-container-v4.8.3-2
hostpath-provisioner-operator-container-v4.8.3-4
virt-cdi-controller-container-v4.8.3-4
virt-cdi-importer-container-v4.8.3-4
bridge-marker-container-v4.8.3-3
ovs-cni-marker-container-v4.8.3-3
virt-handler-container-v4.8.3-9
virt-controller-container-v4.8.3-9
cnv-containernetworking-plugins-container-v4.8.3-3
kubevirt-template-validator-container-v4.8.3-3
hyperconverged-cluster-webhook-container-v4.8.3-5
ovs-cni-plugin-container-v4.8.3-3
hyperconverged-cluster-operator-container-v4.8.3-5
kubevirt-ssp-operator-container-v4.8.3-4
virt-cdi-uploadserver-container-v4.8.3-4
kubemacpool-container-v4.8.3-5
vm-import-controller-container-v4.8.3-7
virt-operator-container-v4.8.3-9
kubernetes-nmstate-handler-container-v4.8.3-8
cnv-must-gather-container-v4.8.3-12
cluster-network-addons-operator-container-v4.8.3-8
hco-bundle-registry-container-v4.8.3-58
Security Fix(es):
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Virtualization release 4.8.3 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift Virtualization is Red Hat\u0027s virtualization solution designed for Red Hat OpenShift Container Platform.\n\nThis advisory contains the following OpenShift Virtualization 4.8.3 images:\n\nRHEL-8-CNV-4.8\n==============\nhostpath-provisioner-container-v4.8.3-4\nkubevirt-v2v-conversion-container-v4.8.3-3\nvirt-cdi-cloner-container-v4.8.3-4\nvirt-cdi-operator-container-v4.8.3-4\nvirt-cdi-uploadproxy-container-v4.8.3-4\nvirt-launcher-container-v4.8.3-9\nvm-import-operator-container-v4.8.3-7\nvirt-cdi-apiserver-container-v4.8.3-4\nkubevirt-vmware-container-v4.8.3-3\nvirt-api-container-v4.8.3-9\nvm-import-virtv2v-container-v4.8.3-7\nvirtio-win-container-v4.8.3-3\nnode-maintenance-operator-container-v4.8.3-2\nhostpath-provisioner-operator-container-v4.8.3-4\nvirt-cdi-controller-container-v4.8.3-4\nvirt-cdi-importer-container-v4.8.3-4\nbridge-marker-container-v4.8.3-3\novs-cni-marker-container-v4.8.3-3\nvirt-handler-container-v4.8.3-9\nvirt-controller-container-v4.8.3-9\ncnv-containernetworking-plugins-container-v4.8.3-3\nkubevirt-template-validator-container-v4.8.3-3\nhyperconverged-cluster-webhook-container-v4.8.3-5\novs-cni-plugin-container-v4.8.3-3\nhyperconverged-cluster-operator-container-v4.8.3-5\nkubevirt-ssp-operator-container-v4.8.3-4\nvirt-cdi-uploadserver-container-v4.8.3-4\nkubemacpool-container-v4.8.3-5\nvm-import-controller-container-v4.8.3-7\nvirt-operator-container-v4.8.3-9\nkubernetes-nmstate-handler-container-v4.8.3-8\ncnv-must-gather-container-v4.8.3-12\ncluster-network-addons-operator-container-v4.8.3-8\nhco-bundle-registry-container-v4.8.3-58\n\nSecurity Fix(es):\n\n* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4914",
"url": "https://access.redhat.com/errata/RHSA-2021:4914"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "1997017",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997017"
},
{
"category": "external",
"summary": "1998855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1998855"
},
{
"category": "external",
"summary": "2000251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000251"
},
{
"category": "external",
"summary": "2001270",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001270"
},
{
"category": "external",
"summary": "2001281",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001281"
},
{
"category": "external",
"summary": "2001901",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001901"
},
{
"category": "external",
"summary": "2007336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007336"
},
{
"category": "external",
"summary": "2007776",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007776"
},
{
"category": "external",
"summary": "2008511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008511"
},
{
"category": "external",
"summary": "2012890",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2012890"
},
{
"category": "external",
"summary": "2025475",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025475"
},
{
"category": "external",
"summary": "2026881",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2026881"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4914.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Virtualization 4.8.3 Images security and bug fix update",
"tracking": {
"current_release_date": "2026-04-29T18:00:27+00:00",
"generator": {
"date": "2026-04-29T18:00:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2021:4914",
"initial_release_date": "2021-12-02T16:59:15+00:00",
"revision_history": [
{
"date": "2021-12-02T16:59:15+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-12-02T16:59:15+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:00:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CNV 4.8 for RHEL 8",
"product": {
"name": "CNV 4.8 for RHEL 8",
"product_id": "8Base-CNV-4.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64",
"product": {
"name": "container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64",
"product_id": "container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64",
"product_identification_helper": {
"purl": "pkg:oci/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/vm-import-operator-rhel8\u0026tag=v4.8.3-7"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64 as a component of CNV 4.8 for RHEL 8",
"product_id": "8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
},
"product_reference": "container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64",
"relates_to_product_reference": "8Base-CNV-4.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-02T16:59:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4914"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
},
{
"cve": "CVE-2021-34558",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1983596"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate\u0027s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0\u20131.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* This vulnerability potentially affects any component written in Go that uses crypto/tls from the standard library. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n - OpenShift Container Platform\n - OpenShift distributed tracing (formerly OpenShift Jaeger)\n - OpenShift Migration Toolkit for Containers\n - Red Hat Advanced Cluster Management for Kubernetes\n - Red Hat OpenShift on AWS\n - Red Hat OpenShift Virtualization\n\n* Because OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s containers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34558"
},
{
"category": "external",
"summary": "RHBZ#1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.15.minor",
"url": "https://golang.org/doc/devel/release#go1.15.minor"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.16.minor",
"url": "https://golang.org/doc/devel/release#go1.16.minor"
}
],
"release_date": "2021-07-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-02T16:59:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4914"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-CNV-4.8:container-native-virtualization/vm-import-operator-rhel8@sha256:0599dbcdd281283ab17d8f758a59e893e21a5459217e7c723e3621c5ca890d73_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic"
}
]
}
RHSA-2022:0237
Vulnerability from csaf_redhat - Published: 2022-01-24 13:53 - Updated: 2026-04-29 18:00Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (etcd) security update
Severity
Important
Notes
Topic: An update for etcd is now available for Red Hat OpenStack Platform 16.2
(Train).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details: A highly-available key value store for shared configuration
Security Fix(es):
* net/http: limit growth of header canonicalization cache (CVE-2021-44716)
* net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* crypto/tls: certificate of wrong type is causing TLS client to panic
(CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
6.5 (Medium)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
7.5 (High)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for etcd is now available for Red Hat OpenStack Platform 16.2\n(Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A highly-available key value store for shared configuration\n\nSecurity Fix(es):\n\n* net/http: limit growth of header canonicalization cache (CVE-2021-44716)\n\n* net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\n* crypto/tls: certificate of wrong type is causing TLS client to panic\n(CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:0237",
"url": "https://access.redhat.com/errata/RHSA-2022:0237"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "2030801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030801"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0237.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (etcd) security update",
"tracking": {
"current_release_date": "2026-04-29T18:00:27+00:00",
"generator": {
"date": "2026-04-29T18:00:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2022:0237",
"initial_release_date": "2022-01-24T13:53:27+00:00",
"revision_history": [
{
"date": "2022-01-24T13:53:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-01-24T13:53:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:00:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 16.2",
"product": {
"name": "Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:16.2::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-7.el8ost.src",
"product": {
"name": "etcd-0:3.3.23-7.el8ost.src",
"product_id": "etcd-0:3.3.23-7.el8ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-7.el8ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-7.el8ost.x86_64",
"product": {
"name": "etcd-0:3.3.23-7.el8ost.x86_64",
"product_id": "etcd-0:3.3.23-7.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-7.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64",
"product": {
"name": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64",
"product_id": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-7.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"product": {
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"product_id": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-7.el8ost?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-7.el8ost.ppc64le",
"product": {
"name": "etcd-0:3.3.23-7.el8ost.ppc64le",
"product_id": "etcd-0:3.3.23-7.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-7.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"product": {
"name": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"product_id": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-7.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"product": {
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"product_id": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-7.el8ost?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-7.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le"
},
"product_reference": "etcd-0:3.3.23-7.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-7.el8ost.src as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src"
},
"product_reference": "etcd-0:3.3.23-7.el8ost.src",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-7.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64"
},
"product_reference": "etcd-0:3.3.23-7.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le"
},
"product_reference": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64"
},
"product_reference": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le"
},
"product_reference": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
},
"product_reference": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-24T13:53:27+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0237"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
},
{
"cve": "CVE-2021-34558",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1983596"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate\u0027s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0\u20131.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* This vulnerability potentially affects any component written in Go that uses crypto/tls from the standard library. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n - OpenShift Container Platform\n - OpenShift distributed tracing (formerly OpenShift Jaeger)\n - OpenShift Migration Toolkit for Containers\n - Red Hat Advanced Cluster Management for Kubernetes\n - Red Hat OpenShift on AWS\n - Red Hat OpenShift Virtualization\n\n* Because OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s containers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34558"
},
{
"category": "external",
"summary": "RHBZ#1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.15.minor",
"url": "https://golang.org/doc/devel/release#go1.15.minor"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.16.minor",
"url": "https://golang.org/doc/devel/release#go1.16.minor"
}
],
"release_date": "2021-07-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-24T13:53:27+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0237"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic"
},
{
"cve": "CVE-2021-44716",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030801"
}
],
"notes": [
{
"category": "description",
"text": "There\u0027s an uncontrolled resource consumption flaw in golang\u0027s net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http\u0027s http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: limit growth of header canonicalization cache",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For OpenShift Container Platform, OpenShift Virtualization, Red Hat Quay and OpenShift distributed tracing the most an attacker can possibly achieve by exploiting this vulnerability is to crash a container, temporarily impacting availability of one or more services. Therefore impact is rated Moderate.\n\nIn its default configuration, grafana as shipped in Red Hat Enterprise Linux 8 is not affected by this vulnerability. However, enabling http2 in /etc/grafana/grafana.ini explicitly would render grafana affected, therefore grafana has been marked affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44716"
},
{
"category": "external",
"summary": "RHBZ#2030801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030801"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k",
"url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-24T13:53:27+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0237"
},
{
"category": "workaround",
"details": "This flaw can be mitigated by disabling HTTP/2. Setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/http: limit growth of header canonicalization cache"
}
]
}
RHSA-2022:0260
Vulnerability from csaf_redhat - Published: 2022-01-25 13:55 - Updated: 2026-04-29 18:00Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 16.1 (etcd) security update
Severity
Important
Notes
Topic: An update for etcd is now available for Red Hat OpenStack Platform 16.1
(Train).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details: A highly-available key value store for shared configuration
Security Fix(es):
* net/http: limit growth of header canonicalization cache (CVE-2021-44716)
* net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* crypto/tls: certificate of wrong type is causing TLS client to panic
(CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.3 (High)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
6.5 (Medium)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
7.5 (High)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for etcd is now available for Red Hat OpenStack Platform 16.1\n(Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A highly-available key value store for shared configuration\n\nSecurity Fix(es):\n\n* net/http: limit growth of header canonicalization cache (CVE-2021-44716)\n\n* net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\n* crypto/tls: certificate of wrong type is causing TLS client to panic\n(CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:0260",
"url": "https://access.redhat.com/errata/RHSA-2022:0260"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "2030801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030801"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0260.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Platform 16.1 (etcd) security update",
"tracking": {
"current_release_date": "2026-04-29T18:00:28+00:00",
"generator": {
"date": "2026-04-29T18:00:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2022:0260",
"initial_release_date": "2022-01-25T13:55:40+00:00",
"revision_history": [
{
"date": "2022-01-25T13:55:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-01-25T13:55:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:00:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 16.1",
"product": {
"name": "Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:16.1::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-7.el8ost.src",
"product": {
"name": "etcd-0:3.3.23-7.el8ost.src",
"product_id": "etcd-0:3.3.23-7.el8ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-7.el8ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-7.el8ost.x86_64",
"product": {
"name": "etcd-0:3.3.23-7.el8ost.x86_64",
"product_id": "etcd-0:3.3.23-7.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-7.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64",
"product": {
"name": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64",
"product_id": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-7.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"product": {
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"product_id": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-7.el8ost?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-7.el8ost.ppc64le",
"product": {
"name": "etcd-0:3.3.23-7.el8ost.ppc64le",
"product_id": "etcd-0:3.3.23-7.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-7.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"product": {
"name": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"product_id": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-7.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"product": {
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"product_id": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-7.el8ost?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-7.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le"
},
"product_reference": "etcd-0:3.3.23-7.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-7.el8ost.src as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src"
},
"product_reference": "etcd-0:3.3.23-7.el8ost.src",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-7.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64"
},
"product_reference": "etcd-0:3.3.23-7.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le"
},
"product_reference": "etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64"
},
"product_reference": "etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le"
},
"product_reference": "etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
},
"product_reference": "etcd-debugsource-0:3.3.23-7.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-25T13:55:40+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0260"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
},
{
"cve": "CVE-2021-34558",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1983596"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate\u0027s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0\u20131.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* This vulnerability potentially affects any component written in Go that uses crypto/tls from the standard library. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n - OpenShift Container Platform\n - OpenShift distributed tracing (formerly OpenShift Jaeger)\n - OpenShift Migration Toolkit for Containers\n - Red Hat Advanced Cluster Management for Kubernetes\n - Red Hat OpenShift on AWS\n - Red Hat OpenShift Virtualization\n\n* Because OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s containers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34558"
},
{
"category": "external",
"summary": "RHBZ#1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.15.minor",
"url": "https://golang.org/doc/devel/release#go1.15.minor"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.16.minor",
"url": "https://golang.org/doc/devel/release#go1.16.minor"
}
],
"release_date": "2021-07-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-25T13:55:40+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0260"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic"
},
{
"cve": "CVE-2021-44716",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030801"
}
],
"notes": [
{
"category": "description",
"text": "There\u0027s an uncontrolled resource consumption flaw in golang\u0027s net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http\u0027s http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: limit growth of header canonicalization cache",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For OpenShift Container Platform, OpenShift Virtualization, Red Hat Quay and OpenShift distributed tracing the most an attacker can possibly achieve by exploiting this vulnerability is to crash a container, temporarily impacting availability of one or more services. Therefore impact is rated Moderate.\n\nIn its default configuration, grafana as shipped in Red Hat Enterprise Linux 8 is not affected by this vulnerability. However, enabling http2 in /etc/grafana/grafana.ini explicitly would render grafana affected, therefore grafana has been marked affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44716"
},
{
"category": "external",
"summary": "RHBZ#2030801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030801"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k",
"url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-25T13:55:40+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0260"
},
{
"category": "workaround",
"details": "This flaw can be mitigated by disabling HTTP/2. Setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-7.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-7.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/http: limit growth of header canonicalization cache"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…