| Vulnerability Name: | CVE-2021-31525 (CCN-202709) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2021-04-22 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Published: | 2021-04-22 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Updated: | 2022-11-09 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Summary: | net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
5.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-674 CWE-120 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-31525 Source: XF Type: UNKNOWN golang-cve202131525-dos(202709) Source: CCN Type: Go GIT Repository net/http: ReadRequest can stack overflow due to recursion with very large headers #45710 Source: MISC Type: Issue Tracking, Patch, Third Party Advisory https://github.com/golang/go/issues/45710 Source: MISC Type: Mailing List, Third Party Advisory https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-ee3c072cd0 Source: GENTOO Type: Third Party Advisory GLSA-202208-02 Source: CCN Type: IBM Security Bulletin 6466435 (Spectrum Protect Plus) Vulnerabilities in Redis, MinIO, Golang, and Urllib3 affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift Source: CCN Type: IBM Security Bulletin 6469447 (App Connect Enterprise Certified Container) IBM App Connect Enterprise Certified Container Operator may be vulnerable to DoS caused by a flaw in Golang module net/http (CVE-2021-31525) Source: CCN Type: IBM Security Bulletin 6475303 (Cloud Pak for Multicloud Management) A security vulnerability in Golang Go affects IBM Cloud Pak for Multicloud Management Managed services Source: CCN Type: IBM Security Bulletin 6483515 (API Connect) IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-31525) Source: CCN Type: IBM Security Bulletin 6486009 (Watson Machine Learning on CP4D) Golang Go Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-31525) Source: CCN Type: IBM Security Bulletin 6489841 (Cloud Automation Manager) A security vulnerability in Golang GO affects IBM Cloud Automation Manager Source: CCN Type: IBM Security Bulletin 6492207 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go Source: CCN Type: IBM Security Bulletin 6497349 (Cloud Pak for Integration) IBM Cloud Pak for Integration is vulnerable to Go vulnerability CVE-2021-31525 Source: CCN Type: IBM Security Bulletin 6499711 (Cloud Pak for Integration) Operations Dashboard is vulnerable to multiple Go vulnerabilities Source: CCN Type: IBM Security Bulletin 6519392 (Cloud Pak System) Multiple vulnerabilities have been found in Golang Go which is shipped with Cloud Pak System Source: CCN Type: IBM Security Bulletin 6574375 (Cloud Private) Security Vulnerabilities affect IBM Cloud Private - Golang (CVE-2021-31525) Source: CCN Type: IBM Security Bulletin 6599203 (Netezza As A Service) IBM Netezza as a Service is vulnerable to denial of service due to Golang net package (CVE-2021-33194, CVE-2021-44716, CVE-2021-31525) Source: CCN Type: IBM Security Bulletin 6599703 (Db2 On Openshift) Multiple vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data Source: CCN Type: IBM Security Bulletin 6606299 (Cloud Pak for Multicloud Management) IBM Cloud Pak for Multicloud Management Monitoring has multiple vulnerabilities associated with the Go runtime (CVE-2021-29923, CVE-2021-31525, CVE-2021-33194, CVE-2021-33195, CVE-2021-33196, CVE-2021-33197, CVE-2021-33198) Source: CCN Type: IBM Security Bulletin 6610915 (Netezza for Cloud Pak for Data) IBM Netezza for Cloud Pak for Data is vulnerable to denial of service due to Golang net package (CVE-2021-27918, CVE-2021-44716, CVE-2021-31525) Source: CCN Type: IBM Security Bulletin 6615221 (Robotic Process Automation for Cloud Pak) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak Source: CCN Type: IBM Security Bulletin 6831813 (Netcool Operations Insight) Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities. Source: CCN Type: IBM Security Bulletin 6833266 (CICS TX Standard) IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Golang Go. Source: CCN Type: IBM Security Bulletin 6833268 (CICS TX Advanced) IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Golang Go. Source: CCN Type: IBM Security Bulletin 6991617 (Edge Application Manager) Open Source Dependency Vulnerability Source: CCN Type: IBM Security Bulletin 6999559 (Edge Application Manager) IBM Edge Application Manager 4.5 addresses multiple security vulnerabilities Source: CCN Type: IBM Security Bulletin 7002503 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities Source: CCN Type: WhiteSource Vulnerability Database CVE-2021-31525 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration RedHat 1: Configuration RedHat 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||