CVE-2021-3121: Out-of-bounds Read
First published: Mon Jan 11 2021(Updated: )
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kiali | <0:v1.24.7.redhat1-1.el8 | 0:v1.24.7.redhat1-1.el8 |
| redhat/cri-o | <0:1.20.0-0.rhaos4.7.git8921e00.el8.51 | 0:1.20.0-0.rhaos4.7.git8921e00.el8.51 |
| redhat/cri-tools | <0:1.20.0-1.el8 | 0:1.20.0-1.el8 |
| redhat/openshift-clients | <0:4.7.0-202103251046.p0.git.3957.c4da68b.el7 | 0:4.7.0-202103251046.p0.git.3957.c4da68b.el7 |
| redhat/openshift | <0:4.8.0-202107161820.p0.git.051ac4f.assembly.stream.el8 | 0:4.8.0-202107161820.p0.git.051ac4f.assembly.stream.el8 |
| redhat/openshift-clients | <0:4.8.0-202106281541.p0.git.1077b05.assembly.stream.el8 | 0:4.8.0-202106281541.p0.git.1077b05.assembly.stream.el8 |
| redhat/github.com/gogo/protobuf | <1.3.2 | 1.3.2 |
| Google Protocol Buffers | <1.3.2 | |
| HashiCorp Consul | <1.8.15 | |
| HashiCorp Consul | <1.8.15 | |
| HashiCorp Consul | >=1.9.0<1.9.9 | |
| HashiCorp Consul | >=1.9.0<1.9.9 | |
| HashiCorp Consul | >=1.10.0<1.10.2 | |
| HashiCorp Consul | >=1.10.0<1.10.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-3121 https://nvd.nist.gov/vuln/detail/CVE-2021-3121
- https://bugzilla.redhat.com/show_bug.cgi?id=1921650
- https://access.redhat.com/errata/RHSA-2022:1679
- https://access.redhat.com/errata/RHSA-2021:2136
- https://access.redhat.com/errata/RHSA-2021:2374
- https://access.redhat.com/errata/RHSA-2022:1276
- https://access.redhat.com/errata/RHSA-2022:6916
- https://access.redhat.com/errata/RHSA-2022:0056
- https://access.redhat.com/errata/RHSA-2022:0577
- https://access.redhat.com/errata/RHSA-2022:6536
- https://access.redhat.com/errata/RHSA-2020:5634
- https://access.redhat.com/errata/RHSA-2021:1006
- https://access.redhat.com/errata/RHBA-2021:1365
- https://access.redhat.com/errata/RHSA-2020:5633
- https://access.redhat.com/errata/RHSA-2020:5635
- https://access.redhat.com/errata/RHSA-2021:1005
- https://access.redhat.com/errata/RHSA-2021:1007
- https://access.redhat.com/errata/RHSA-2021:1225
- https://access.redhat.com/errata/RHSA-2021:1227
- https://access.redhat.com/errata/RHSA-2021:1552
- https://access.redhat.com/errata/RHSA-2021:1563
- https://access.redhat.com/errata/RHSA-2021:2121
- https://access.redhat.com/errata/RHSA-2021:2286
- https://access.redhat.com/errata/RHSA-2021:2977
- https://access.redhat.com/errata/RHSA-2021:3262
- https://access.redhat.com/errata/RHSA-2021:3303
- https://access.redhat.com/errata/RHSA-2022:0283
- https://access.redhat.com/errata/RHSA-2021:2437
- https://access.redhat.com/errata/RHSA-2021:2438
- https://access.redhat.com/errata/RHBA-2021:3760
- https://access.redhat.com/errata/RHSA-2021:3759
- https://access.redhat.com/errata/RHSA-2021:0799
- https://access.redhat.com/errata/RHSA-2021:4104
- https://access.redhat.com/security/cve/CVE-2021-3121
- https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025
- https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
- https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2
- https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210219-0006/
- https://github.com/jaegertracing/jaeger/blob/27cb88fcb276de4bc2450137d17d999cbb802aea/proto-gen/api_v2/collector.pb.go#L394
- https://github.com/kubernetes/kubernetes/pull/98477
- https://access.redhat.com/errata/RHSA-2021:0607
- https://access.redhat.com/security/cve/cve-2021-3121
- https://access.redhat.com/errata/RHSA-2021:0719
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1958518
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1967614
- https://access.redhat.com/errata/RHSA-2021:2920
- https://access.redhat.com/errata/RHSA-2021:3259
- https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2022:1679
- RHSA-2021:2136
- RHSA-2021:2374
- RHSA-2022:1276
- RHSA-2022:6916
- RHSA-2022:0056
- RHSA-2022:0577
- RHSA-2022:6536
- RHSA-2020:5634
- RHSA-2021:1006
- RHBA-2021:1365
- RHSA-2020:5633
- RHSA-2020:5635
- RHSA-2021:1005
- RHSA-2021:1007
- RHSA-2021:1225
- RHSA-2021:1227
- RHSA-2021:1552
- RHSA-2021:1563
- RHSA-2021:2121
- RHSA-2021:2286
- RHSA-2021:2977
- RHSA-2021:3262
- RHSA-2021:3303
- RHSA-2022:0283
- RHSA-2021:2437
- RHSA-2021:2438
- RHBA-2021:3760
- RHSA-2021:3759
- RHSA-2021:0799
- RHSA-2021:4104
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2021-3121.
What is the severity of CVE-2021-3121?
The severity of CVE-2021-3121 is high with a CVSS score of 8.6.
What is the affected software?
The affected software includes github.com/gogo/protobuf versions up to 1.3.2, kiali up to v1.24.7.redhat1-1.el8, cri-o up to 1.20.0-0.rhaos4.7.git8921e00.el8.51, cri-tools up to 1.20.0-1.el8, and others.
How does this vulnerability occur?
This vulnerability occurs due to an out-of-bounds access when unmarshalling certain protobuf objects in github.com/gogo/protobuf.
How can I fix CVE-2021-3121?
To fix CVE-2021-3121, update your golang/protobuf package to version 1.3.2 or newer and apply any available patches or updates for the affected software.
- collector/redhat-cve
- agent/type
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/event
- agent/description
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3121
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/golang
- canonical/google protocol buffers
- vendor/hashicorp
- canonical/hashicorp consul
- version/hashicorp consul/1.9.0
- version/hashicorp consul/1.10.0