CVE-2021-33195: XSS
First published: Tue May 18 2021(Updated: )
A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift-serverless-clients | <0:0.23.2-1.el8 | 0:0.23.2-1.el8 |
| redhat/go-toolset | <1.15-golang-0:1.15.14-2.el7_9 | 1.15-golang-0:1.15.14-2.el7_9 |
| redhat/grafana | <0:7.5.9-4.el8 | 0:7.5.9-4.el8 |
| redhat/buildah | <1:1.27.0-2.el9 | 1:1.27.0-2.el9 |
| redhat/ignition | <0:2.6.0-8.rhaos4.6.git947598e.el8 | 0:2.6.0-8.rhaos4.6.git947598e.el8 |
| redhat/atomic-openshift-service-idler | <0:4.7.0-202107291238.p0.git.39cfc66.assembly.stream.el8 | 0:4.7.0-202107291238.p0.git.39cfc66.assembly.stream.el8 |
| redhat/cri-o | <0:1.20.4-7.rhaos4.7.git6287500.el7 | 0:1.20.4-7.rhaos4.7.git6287500.el7 |
| redhat/ignition | <0:2.9.0-4.rhaos4.7.git1d56dc8.el8 | 0:2.9.0-4.rhaos4.7.git1d56dc8.el8 |
| redhat/openshift | <0:4.7.0-202107292242.p0.git.558d959.assembly.stream.el7 | 0:4.7.0-202107292242.p0.git.558d959.assembly.stream.el7 |
| redhat/openshift-clients | <0:4.7.0-202107292242.p0.git.8b4b094.assembly.stream.el8 | 0:4.7.0-202107292242.p0.git.8b4b094.assembly.stream.el8 |
| redhat/redhat-release-coreos | <0:47.84-1.el8 | 0:47.84-1.el8 |
| redhat/cri-o | <0:1.21.2-8.rhaos4.8.git8d4264e.el7 | 0:1.21.2-8.rhaos4.8.git8d4264e.el7 |
| redhat/ignition | <0:2.9.0-7.rhaos4.8.el8 | 0:2.9.0-7.rhaos4.8.el8 |
| redhat/openshift | <0:4.8.0-202107300027.p0.git.38b3ecc.assembly.stream.el7 | 0:4.8.0-202107300027.p0.git.38b3ecc.assembly.stream.el7 |
| redhat/openshift-clients | <0:4.8.0-202107292313.p0.git.1077b05.assembly.stream.el7 | 0:4.8.0-202107292313.p0.git.1077b05.assembly.stream.el7 |
| redhat/containernetworking-plugins | <0:0.8.6-3.rhaos4.6.el7 | 0:0.8.6-3.rhaos4.6.el7 |
| redhat/cri-tools | <0:1.21.0-3.el8 | 0:1.21.0-3.el8 |
| redhat/golang-github-prometheus-promu | <0:0.5.0-4.git642a960.el8 | 0:0.5.0-4.git642a960.el8 |
| redhat/butane | <0:0.12.1-2.rhaos4.8.el8 | 0:0.12.1-2.rhaos4.8.el8 |
| redhat/mcg | <0:5.9.0-28.61dcf87.5.9.el8 | 0:5.9.0-28.61dcf87.5.9.el8 |
| redhat/etcd | <0:3.3.23-3.1.el8 | 0:3.3.23-3.1.el8 |
| redhat/kubevirt | <0:2.6.10-230.el7 | 0:2.6.10-230.el7 |
| redhat/kubevirt | <0:4.8.5-278.el7 | 0:4.8.5-278.el7 |
| redhat/kubevirt | <0:2.6.10-230.el8 | 0:2.6.10-230.el8 |
| redhat/kubevirt | <0:4.8.5-278.el8 | 0:4.8.5-278.el8 |
| Golang Go | <1.15.13 | |
| Golang Go | >=1.16.0<1.16.5 | |
| Netapp Cloud Insights Telegraf Agent | ||
| redhat/go | <1.16.5 | 1.16.5 |
| redhat/go | <1.15.13 | 1.15.13 |
| IBM Security Guardium Insights | <=3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-33195 https://nvd.nist.gov/vuln/detail/CVE-2021-33195 https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- https://bugzilla.redhat.com/show_bug.cgi?id=1989564
- https://access.redhat.com/errata/RHSA-2021:3556
- https://access.redhat.com/errata/RHSA-2021:3555
- https://access.redhat.com/errata/RHSA-2021:3431
- https://access.redhat.com/errata/RHSA-2021:4156
- https://access.redhat.com/errata/RHSA-2021:4226
- https://access.redhat.com/errata/RHSA-2022:8008
- https://access.redhat.com/errata/RHSA-2021:3361
- https://access.redhat.com/errata/RHSA-2022:0577
- https://access.redhat.com/errata/RHSA-2021:3009
- https://access.redhat.com/errata/RHBA-2021:2979
- https://access.redhat.com/errata/RHSA-2021:2984
- https://access.redhat.com/errata/RHSA-2021:3248
- https://access.redhat.com/errata/RHSA-2021:2983
- https://access.redhat.com/errata/RHSA-2021:3820
- https://access.redhat.com/errata/RHSA-2021:3759
- https://access.redhat.com/errata/RHSA-2021:5085
- https://access.redhat.com/errata/RHSA-2021:5086
- https://access.redhat.com/errata/RHSA-2021:5072
- https://access.redhat.com/errata/RHSA-2021:3487
- https://access.redhat.com/errata/RHSA-2021:3146
- https://access.redhat.com/errata/RHSA-2022:1402
- https://access.redhat.com/errata/RHSA-2022:1329
- https://access.redhat.com/errata/RHSA-2022:0947
- https://access.redhat.com/errata/RHSA-2021:4104
- https://access.redhat.com/errata/RHSA-2022:0191
- https://access.redhat.com/security/cve/cve-2021-33195
- https://groups.google.com/g/golang-announce
- https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20210902-0005/
- https://github.com/golang/go/issues/46241
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1989568
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1989565
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1989566
- https://github.com/golang/go/commit/c89f1224a544cde464fcb86e78ebb0cc97eedba2
- https://access.redhat.com/errata/RHSA-2021:3229
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1995785
- https://access.redhat.com/errata/RHSA-2021:3598
- https://exchange.xforce.ibmcloud.com/vulnerabilities/206601
- https://www.ibm.com/support/pages/node/6550866 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2021:3556
- RHSA-2021:3555
- RHSA-2021:3431
- RHSA-2021:4156
- RHSA-2021:4226
- RHSA-2022:8008
- RHSA-2021:3361
- RHSA-2022:0577
- RHSA-2021:3009
- RHBA-2021:2979
- RHSA-2021:2984
- RHSA-2021:3248
- RHSA-2021:2983
- RHSA-2021:3820
- RHSA-2021:3759
- RHSA-2021:5085
- RHSA-2021:5086
- RHSA-2021:5072
- RHSA-2021:3487
- RHSA-2021:3146
- RHSA-2022:1402
- RHSA-2022:1329
- RHSA-2022:0947
- RHSA-2021:4104
- RHSA-2022:0191
- IBM-6550866
Frequently Asked Questions
What is CVE-2021-33195?
CVE-2021-33195 is a vulnerability in Go before 1.15.13 and 1.16.x before 1.16.5 that could allow a remote attacker to execute arbitrary code on the system.
What is the severity of CVE-2021-33195?
CVE-2021-33195 has a severity rating of 7.5 (High).
Which functions in Go are affected by CVE-2021-33195?
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net are affected by CVE-2021-33195.
How can I fix CVE-2021-33195?
You can fix CVE-2021-33195 by updating to Go version 1.15.13 or 1.16.5.
Where can I find more information about CVE-2021-33195?
You can find more information about CVE-2021-33195 in the following references: [link1](https://github.com/golang/go/issues/46241), [link2](https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1989568).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-33195
- agent/software-canonical-lookup
- agent/event
- agent/description
- collector/ibm-support
- source/IBM
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/golang
- canonical/golang go
- version/golang go/1.16.0
- vendor/netapp
- canonical/netapp cloud insights telegraf agent
- vendor/ibm
- canonical/ibm security guardium insights
- version/ibm security guardium insights/3.0