Описание
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAssembly) Modules. Go can be compiled to WASM. If the product or service doesn't use WASM functions, it is not affected, although it uses golang.
Отчет
- Although this flaw has a higher CVSS score, in a strict sense, the flaw could possibly enable code exec, either Red Hat products don't use WASM, or don't expose WASM functions in a way that makes code exec possible. For this reason, the Red Hat impact for this flaw is Moderate.
- Because the flawed code is not actually used in Service Telemetry Framework1.3, no update will be provided at this time for STF's sg-core-container. *For a WASM Module to be vulnerable, it needs to be built using GOARCH=wasm GOOS=js (build options for WebAssembly). *CVE-2021-38297 is a vulnerability that affects Go (golang). It has been fixed in versions 1.17.2 and 1.16.9. *CVE-2021-38297 does not affect the OpenShift Container Platform (OCP) because it does not build anything with GOARCH=wasm GOOS=js. Hence, OCP-based services are not affected either.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel8 | Not affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-rhel8-operator | Not affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Not affected | ||
| OpenShift Serverless | CLI | Affected | ||
| OpenShift Serverless | knative-eventing | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-operator | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Not affected | ||
| Red Hat Advanced Cluster Security 3 | rox | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via la ...
EPSS
9.8 Critical
CVSS3