CVE-2021-41771 - Vulnerability Details

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Fedoraproject	Fedora
Golang	Go
Redhat	Enterprise Linux Rhmt Serverless

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Openshift Serveless 1.22
openshift-serverless-1/client-kn-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-controller-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-mtping-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-storage-version-migration-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-sugar-controller-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-webhook-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/ingress-rhel8-operator:1.22.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/knative-rhel8-operator:1.22.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/kn-cli-artifacts-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/kourier-control-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/net-istio-controller-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/net-istio-webhook-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serverless-operator-bundle:1.22.0-4	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serverless-rhel8-operator:1.22.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-activator-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-autoscaler-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-controller-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-domain-mapping-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-domain-mapping-webhook-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-queue-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-storage-version-migration-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-webhook-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/svls-must-gather-rhel8:1.22.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1-tech-preview/eventing-kafka-broker-controller-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1-tech-preview/eventing-kafka-broker-dispatcher-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1-tech-preview/eventing-kafka-broker-receiver-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1-tech-preview/eventing-kafka-broker-webhook-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
Openshift Serverless 1 on RHEL 8
openshift-serverless-clients-0:1.1.0-2.el8	cpe:/a:redhat:serverless:1.0::el8	RHSA-2022:1745	2022-05-09T00:00:00Z
Red Hat Enterprise Linux 8
go-toolset:rhel8-8060020220221035359.76a129d7	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:1819	2022-05-10T00:00:00Z
Red Hat Migration Toolkit for Containers 1.7
rhmtc/openshift-migration-must-gather-rhel8:v1.7.1-3	cpe:/a:redhat:rhmt:1.7::el8	RHSA-2022:1734	2022-05-05T00:00:00Z

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
https://groups.google.com/g/golang-announce/c/0fM21h43arc
https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html
https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/
https://nvd.nist.gov/vuln/detail/CVE-2021-41771
https://security.gentoo.org/glsa/202208-02
https://security.netapp.com/advisory/ntap-20211210-0003/
https://www.cve.org/CVERecord?id=CVE-2021-41771
https://www.oracle.com/security-alerts/cpujul2022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-11-08T00:00:00

Updated: 2024-08-04T03:15:29.252Z

Reserved: 2021-09-28T00:00:00

Link: CVE-2021-41771

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-08T06:15:08.057

Modified: 2024-11-21T06:26:44.027

Link: CVE-2021-41771

Redhat

Severity : Moderate

Publid Date: 2021-10-14T00:00:00Z

Links: CVE-2021-41771 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-41771", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T03:15:29.252Z", "dateReserved": "2021-09-28T00:00:00", "datePublished": "2021-11-08T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-04-19T00:00:00"}, "descriptions": [{"lang": "en", "value": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"name": "FEDORA-2021-2ef35beebf", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"name": "FEDORA-2021-2b2dd1b5a7", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"name": "[debian-lts-announce] 20220121 [SECURITY] [DLA 2891-1] golang-1.8 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html"}, {"name": "[debian-lts-announce] 20220121 [SECURITY] [DLA 2892-1] golang-1.7 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc"}, {"url": "https://security.netapp.com/advisory/ntap-20211210-0003/"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf"}, {"name": "[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:15:29.252Z"}, "title": "CVE Program Container", "references": [{"name": "FEDORA-2021-2ef35beebf", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"name": "FEDORA-2021-2b2dd1b5a7", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"name": "[debian-lts-announce] 20220121 [SECURITY] [DLA 2891-1] golang-1.8 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html"}, {"name": "[debian-lts-announce] 20220121 [SECURITY] [DLA 2892-1] golang-1.7 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20211210-0003/", "tags": ["x_transferred"]}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "67AFDFB7-865E-4BA7-9698-61D354A7DE1B", "versionEndExcluding": "1.16.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "90116FE4-B419-4054-9D39-C2961CE88ED5", "versionEndExcluding": "1.17.3", "versionStartIncluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation."}, {"lang": "es", "value": "ImportedSymbols en debug/macho (para Open u OpenFat) en Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, Accede a una Ubicaci\u00f3n de Memoria Despu\u00e9s del Final de un B\u00fafer, tambi\u00e9n se conoce como una situaci\u00f3n de \"out-of-bounds slice\""}], "id": "CVE-2021-41771", "lastModified": "2024-11-21T06:26:44.027", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-08T06:15:08.057", "references": [{"source": "cve@mitre.org", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211210-0003/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211210-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/client-kn-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.22.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.22.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/kourier-control-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.22.0-4", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.22.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-activator-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-controller-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-queue-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.22.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-controller-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-dispatcher-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-receiver-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-webhook-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1745", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:1.1.0-2.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1819", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8060020220221035359.76a129d7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}, {"advisory": "RHSA-2022:1734", "cpe": "cpe:/a:redhat:rhmt:1.7::el8", "package": "rhmtc/openshift-migration-must-gather-rhel8:v1.7.1-3", "product_name": "Red Hat Migration Toolkit for Containers 1.7", "release_date": "2022-05-05T00:00:00Z"}], "bugzilla": {"description": "golang: debug/macho: invalid dynamic symbol table command can cause panic", "id": "2020725", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020725"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-119", "details": ["ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.", "An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service."], "name": "CVE-2021-41771", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "CLI", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang-github-prometheus-node_exporter", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Not affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Out of support scope", "package_name": "go-toolset-1.15-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Affected", "package_name": "go-toolset-1.16-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "noobaa-operator-container", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "golang-github-vbatts-tar-split", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "golang-github-vbatts-tar-split", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/clair-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-bridge-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-container-security-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-openshift-bridge-rhel8-operator", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.0::el7", "fix_state": "Not affected", "package_name": "smart-gateway-container", "product_name": "Service Telemetry Framework 1.2 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.0::el7", "fix_state": "Not affected", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.2 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.3::el8", "fix_state": "Will not fix", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.3 for RHEL 8"}], "public_date": "2021-10-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-41771\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-41771\nhttps://groups.google.com/g/golang-announce/c/0fM21h43arc"], "statement": "For Red Hat Service Telemetry Framework, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the sg-core-container.", "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object