First published: Thu Dec 09 2021(Updated: )
An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests. Reference: <a href="https://github.com/golang/go/issues/50058">https://github.com/golang/go/issues/50058</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/openshift-serverless-clients | <0:1.0.0-2.el8 | 0:1.0.0-2.el8 |
redhat/go-toolset | <1.16-0:1.16.12-1.el7_9 | 1.16-0:1.16.12-1.el7_9 |
redhat/go-toolset | <1.16-golang-0:1.16.12-1.el7_9 | 1.16-golang-0:1.16.12-1.el7_9 |
redhat/grafana | <0:7.5.9-5.el8_5 | 0:7.5.9-5.el8_5 |
redhat/grafana | <0:7.3.6-4.el8_4 | 0:7.3.6-4.el8_4 |
redhat/etcd | <0:3.3.23-9.el7 | 0:3.3.23-9.el7 |
redhat/grafana | <0:5.2.4-5.el7 | 0:5.2.4-5.el7 |
redhat/cri-o | <0:1.23.0-92.rhaos4.10.gitdaab4d1.el7 | 0:1.23.0-92.rhaos4.10.gitdaab4d1.el7 |
redhat/openshift | <0:4.10.0-202202250816.p0.ge419edf.assembly.stream.el7 | 0:4.10.0-202202250816.p0.ge419edf.assembly.stream.el7 |
redhat/containernetworking-plugins | <0:0.9.1-2.rhaos4.10.el8 | 0:0.9.1-2.rhaos4.10.el8 |
redhat/butane | <0:0.13.1-2.rhaos4.9.el8 | 0:0.13.1-2.rhaos4.9.el8 |
redhat/ignition | <0:2.12.0-3.rhaos4.9.el8 | 0:2.12.0-3.rhaos4.9.el8 |
redhat/mcg | <0:5.10.0-72.el8 | 0:5.10.0-72.el8 |
redhat/etcd | <0:3.3.23-7.el8 | 0:3.3.23-7.el8 |
redhat/kubevirt | <0:4.12.0-1057.el7 | 0:4.12.0-1057.el7 |
redhat/kubevirt | <0:4.12.0-1057.el8 | 0:4.12.0-1057.el8 |
Golang Go | <1.16.12 | |
Golang Go | >=1.17.0<1.17.5 | |
Debian Debian Linux | =9.0 | |
Netapp Cloud Insights Telegraf | ||
redhat/Go | <1.17.5 | 1.17.5 |
redhat/Go | <1.16.12 | 1.16.12 |
IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
IBM QRadar Suite Software | <=1.10.12.0 - 1.10.16.0 | |
<1.16.12 | ||
>=1.17.0<1.17.5 | ||
=9.0 | ||
This flaw can be mitigated by disabling HTTP/2. Setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-44716 is a vulnerability in the net/http library in Go before 1.16.12 and 1.17.x before 1.17.5.
CVE-2021-44716 has a severity score of 7.5 (high).
CVE-2021-44716 can be exploited by submitting specially crafted requests to applications linked with net/http's http2 functionality.
To fix CVE-2021-44716, update your Go installation to version 1.16.12 or 1.17.5, depending on the version you are using.
You can find more information about CVE-2021-44716 in the references provided: [link 1](https://github.com/golang/go/issues/50058), [link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2030802), [link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2030804).