CVE-2021-33194

Отчет

Red Hat Developer Tools go-toolset-1.14-golang not affected because the vulnerable code is not shipped. This vulnerability within golang and buildah shipped with RHEL-7 are out of support scope. For more information on Red Hat's support scope, visit: https://access.redhat.com/support/policy/updates/errata For RHEL-8's go-toolset:rhel8/golang, container-tools:1.0/buildah, container-tools:2.0/buildah, and container-tools:rhel8/buildah, the affected function is only used in e2e tests. For RHEL-9's golang and buildah, the affected function is only used in e2e tests. Red Hat Openshift Container Storage has dependencies with the affected code, however, low priority trackers were filed as the vulnerable code is not shipped or used. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform enforces hardening guidelines to ensure the most restrictive setting needed for operational requirements. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention. This process ensures that audit logs are generated for specific events involving sensitive information, enabling capabilities like excessive CPU usage, long execution times, or processes consuming abnormal amounts of memory. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing infinite loops caused by malformed or unexpected input, such as unbounded user input or unexpected null values that cause loops to never terminate. In the event of successful exploitation, process isolation limits the effect of an infinite loop to a single process rather than allowing it to consume all system resources.