CVE-2021-29923: Input Validation
First published: Mon Mar 22 2021(Updated: )
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift-serverless-clients | <0:0.26.0-2.el8 | 0:0.26.0-2.el8 |
| redhat/kiali | <0:v1.24.7.redhat1-1.el8 | 0:v1.24.7.redhat1-1.el8 |
| redhat/servicemesh | <0:2.0.9-3.el8 | 0:2.0.9-3.el8 |
| redhat/servicemesh-prometheus | <0:2.14.0-16.el8.1 | 0:2.14.0-16.el8.1 |
| redhat/servicemesh-proxy | <0:2.0.9-3.el8 | 0:2.0.9-3.el8 |
| redhat/go-toolset | <1.15-golang-0:1.15.14-2.el7_9 | 1.15-golang-0:1.15.14-2.el7_9 |
| redhat/butane | <0:0.13.1-2.rhaos4.9.el8 | 0:0.13.1-2.rhaos4.9.el8 |
| redhat/cri-o | <0:1.22.1-17.rhaos4.9.git3029b1d.el7 | 0:1.22.1-17.rhaos4.9.git3029b1d.el7 |
| redhat/cri-tools | <0:1.22.0-2.el8 | 0:1.22.0-2.el8 |
| redhat/golang-github-prometheus-promu | <0:0.5.0-5.git642a960.el8 | 0:0.5.0-5.git642a960.el8 |
| redhat/ignition | <0:2.12.0-3.rhaos4.9.el8 | 0:2.12.0-3.rhaos4.9.el8 |
| redhat/etcd | <0:3.3.23-7.el8 | 0:3.3.23-7.el8 |
| redhat/golang-github-vbatts-tar-split | <0:0.11.1-6.el8 | 0:0.11.1-6.el8 |
| redhat/golang-qpid-apache | <0:0.32.0-rc1.9.el8 | 0:0.32.0-rc1.9.el8 |
| redhat/kubevirt | <0:2.6.8-211.el7 | 0:2.6.8-211.el7 |
| redhat/kubevirt | <0:4.8.3-251.el7 | 0:4.8.3-251.el7 |
| redhat/kubevirt | <0:2.6.8-211.el8 | 0:2.6.8-211.el8 |
| redhat/kubevirt | <0:4.8.3-251.el8 | 0:4.8.3-251.el8 |
| Golang Go | <1.17 | |
| Oracle TimesTen In-Memory Database | <21.1.1.1.0 | |
| Fedoraproject Fedora | =36 | |
| redhat/go | <1.17.0 | 1.17.0 |
| IBM Security Guardium Insights | <=3.0 |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-29923 https://nvd.nist.gov/vuln/detail/CVE-2021-29923 https://sick.codes/sick-2021-016/
- https://bugzilla.redhat.com/show_bug.cgi?id=1992006
- https://access.redhat.com/errata/RHSA-2022:0434
- https://access.redhat.com/errata/RHSA-2022:0432
- https://access.redhat.com/errata/RHSA-2022:1276
- https://access.redhat.com/errata/RHSA-2021:3431
- https://access.redhat.com/errata/RHSA-2021:3585
- https://access.redhat.com/errata/RHSA-2022:0577
- https://access.redhat.com/errata/RHSA-2022:0557
- https://access.redhat.com/errata/RHSA-2022:0561
- https://access.redhat.com/errata/RHSA-2022:1372
- https://access.redhat.com/errata/RHSA-2022:0318
- https://access.redhat.com/errata/RHSA-2022:0260
- https://access.redhat.com/errata/RHSA-2022:0988
- https://access.redhat.com/errata/RHSA-2022:0989
- https://access.redhat.com/errata/RHSA-2022:0237
- https://access.redhat.com/errata/RHSA-2022:0997
- https://access.redhat.com/errata/RHSA-2022:0998
- https://access.redhat.com/errata/RHSA-2021:4902
- https://access.redhat.com/errata/RHSA-2022:0431
- https://access.redhat.com/errata/RHSA-2021:4722
- https://access.redhat.com/errata/RHSA-2021:4910
- https://access.redhat.com/errata/RHSA-2021:4725
- https://access.redhat.com/errata/RHSA-2022:0947
- https://access.redhat.com/security/cve/cve-2021-29923
- https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis
- https://github.com/golang/go/issues/30999
- https://github.com/golang/go/issues/43389
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md
- https://go-review.googlesource.com/c/go/+/325829/
- https://golang.org/pkg/net/#ParseCIDR
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/
- https://security.gentoo.org/glsa/202208-02
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1992008
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1992007
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1992009
- https://play.golang.org/p/HpWqhr9tZ53
- https://access.redhat.com/errata/RHSA-2021:4914
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/207025
- https://www.ibm.com/support/pages/node/6550866 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2022:0434
- RHSA-2022:0432
- RHSA-2022:1276
- RHSA-2021:3431
- RHSA-2021:3585
- RHSA-2022:0577
- RHSA-2022:0557
- RHSA-2022:0561
- RHSA-2022:1372
- RHSA-2022:0318
- RHSA-2022:0260
- RHSA-2022:0988
- RHSA-2022:0989
- RHSA-2022:0237
- RHSA-2022:0997
- RHSA-2022:0998
- RHSA-2021:4902
- RHSA-2022:0431
- RHSA-2021:4722
- RHSA-2021:4910
- RHSA-2021:4725
- RHSA-2022:0947
- IBM-6550866
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-29923.
What is the severity level of CVE-2021-29923?
CVE-2021-29923 has a severity level of high.
How does CVE-2021-29923 bypass access control?
CVE-2021-29923 bypasses access control based on IP by improperly considering extraneous zero characters at the beginning of an IP address octet.
Which software versions are affected by CVE-2021-29923?
Versions up to 1.17.0 of Go, 0:0.26.0-2.el8 of openshift-serverless-clients, 0:v1.24.7.redhat1-1.el8 of kiali, 0:2.0.9-3.el8 of servicemesh, 0:2.14.0-16.el8.1 of servicemesh-prometheus, 0:2.0.9-3.el8 of servicemesh-proxy, 1.15-golang-0:1.15.14-2.el7_9 of go-toolset, 0:0.13.1-2.rhaos4.9.el8 of butane, 0:1.22.1-17.rhaos4.9.git3029b1d.el7 of cri-o, 0:1.22.0-2.el8 of cri-tools, 0:0.5.0-5.git642a960.el8 of golang-github-prometheus-promu, 0:2.12.0-3.rhaos4.9.el8 of ignition, 0:3.3.23-7.el8 of etcd, 0:0.11.1-6.el8 of golang-github-vbatts-tar-split, 0:0.32.0-rc1.9.el8 of golang-qpid-apache, 0:2.6.8-211.el7 and 0:4.8.3-251.el7 of kubevirt, 0:2.6.8-211.el8 and 0:4.8.3-251.el8 of kubevirt, and versions up to 21.1.1.1.0 of Oracle TimesTen In-Memory Database are affected by CVE-2021-29923.
How can I fix CVE-2021-29923?
To fix CVE-2021-29923, update to version 1.17.0 or newer of Go, or apply the recommended patches for the affected software.
- collector/redhat-cve
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-29923
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/golang
- canonical/golang go
- vendor/oracle
- canonical/oracle timesten in-memory database
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- vendor/ibm
- canonical/ibm security guardium insights
- version/ibm security guardium insights/3.0