Vulnerability Name:

CVE-2021-33194 (CCN-202644)

Assigned:2021-05-20
Published:2021-05-20
Updated:2022-06-03
Summary:golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-835
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-33194

Source: XF
Type: UNKNOWN
golang-cve202133194-dos(202644)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7

Source: CONFIRM
Type: Third Party Advisory
https://groups.google.com/g/golang-announce/c/wPunbCPkWUg

Source: CCN
Type: Golang Web site
Vulnerability in golang.org/x/net/html

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-17d004ed71

Source: CCN
Type: IBM Security Bulletin 6483479 (API Connect)
IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-33194).

Source: CCN
Type: IBM Security Bulletin 6486011 (Watson Machine Learning on CP4D)
Golang Go Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-33194)

Source: CCN
Type: IBM Security Bulletin 6499711 (Cloud Pak for Integration)
Operations Dashboard is vulnerable to multiple Go vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6524682 (Spectrum Protect Plus)
Vulnerabilities in Redis, OpenSSH, Golang Go, and Apache Kafka may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift

Source: CCN
Type: IBM Security Bulletin 6574371 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - Golang (CVE-2021-33194)

Source: CCN
Type: IBM Security Bulletin 6599203 (Netezza As A Service)
IBM Netezza as a Service is vulnerable to denial of service due to Golang net package (CVE-2021-33194, CVE-2021-44716, CVE-2021-31525)

Source: CCN
Type: IBM Security Bulletin 6599703 (Db2 On Openshift)
Multiple vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6606299 (Cloud Pak for Multicloud Management)
IBM Cloud Pak for Multicloud Management Monitoring has multiple vulnerabilities associated with the Go runtime (CVE-2021-29923, CVE-2021-31525, CVE-2021-33194, CVE-2021-33195, CVE-2021-33196, CVE-2021-33197, CVE-2021-33198)

Source: CCN
Type: IBM Security Bulletin 6611143 (Netezza for Cloud Pak for Data)
IBM Netezza for Cloud Pak for Data is vulnerable to denial of service due to Golang net package (CVE-2021-33194)

Source: CCN
Type: IBM Security Bulletin 6833278 (CICS TX Standard)
IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Golang Go and Kubernetes.

Source: CCN
Type: IBM Security Bulletin 6833280 (CICS TX Advanced)
IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Golang Go and Kubernetes.

Source: CCN
Type: IBM Security Bulletin 6847643 (Spectrum Protect Plus)
Vulnerabilities in Linux Kernel, Golang Go, and cURL libcurl may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6991617 (Edge Application Manager)
Open Source Dependency Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version >= 1.16.0 and <= 1.16.4)
  • OR cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version <= 1.15.12)

  • Configuration 2:
  • cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:golang:go:1.15.12:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.16.4:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:2018.4.1.16:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*

  • * Denotes that component is vulnerable
    BACK
    golang go *
    golang go *
    fedoraproject fedora 36
    golang go 1.15.12
    golang go 1.16.4
    ibm spectrum protect plus 10.1.0
    ibm api connect 2018.4.1.0
    ibm spectrum protect plus 10.1.5
    ibm cloud private 3.2.1 cd
    ibm spectrum protect plus 10.1.6
    ibm cloud private 3.2.2 cd
    ibm spectrum protect plus 10.1.7
    ibm api connect 2018.4.1.16
    ibm spectrum protect plus 10.1.8
    ibm db2 warehouse 3.5 -
    ibm db2 warehouse 4.0 -
    ibm db2 3.5 -
    ibm db2 4.0 -
    ibm cics tx 11.1
    ibm cics tx 11.1