Lucene search

K
ibmIBMDEB1DA14A02B1E96C9E1AD15278A7703F1E3D937C4E9332C472E2D1F0F0E8222
HistoryDec 10, 2021 - 3:45 p.m.

Security Bulletin: Vulnerabilities in Golang Go may affect IBM Spectrum Protect Server (CVE-2021-33195, CVE-2021-33197, CVE-2021-36221)

2021-12-1015:45:35
www.ibm.com
23
ibm spectrum protect
golang go
cve-2021-33195
cve-2021-33197
cve-2021-36221
denial of service
arbitrary code execution
security restrictions bypass
vulnerability
fix
8.1.7.000-8.1.12.xxx

EPSS

0.01

Percentile

84.0%

Summary

The IBM Spectrum Protect Server may be affected by Golang Go vulnerabilities such as denial of service, execution of arbitrary code, and bypassing of security restrictions.

Vulnerability Details

CVEID:CVE-2021-33195
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206601 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2021-33197
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop arbitrary headers, including those set by the ReverseProxy.Director.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2021-36221
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a race condition upon an ErrAbortHandler abort. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a net/http/httputil ReverseProxy panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207036 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Protect Server 8.1.7.000-8.1.12.xxx

Remediation/Fixes

IBM Spectrum Protect Server Release First Fixing VRM Level Platform Link to Fix
8.1 8.1.13 AIX
Linux
Windows <https://www.ibm.com/support/pages/node/6522994&gt;

Workarounds and Mitigations

None