Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion. References: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912 https://github.com/golang/go/issues/46242
Upstream: 1.15 - https://golang.org/cl/322949 1.16 - https://golang.org/cl/322909 1.17 - https://golang.org/cl/318909
Checking the entire source code of OpenShift 4, only the following components are using archive/zip (components that share the same github.com/openshift repo are removed): grafana-container/pkg/cmd/grafana-cli openshift-enterprise-console-container/cmd/bridge ose-installer-container/cmd/openshift-install openshift/cmd/clicheck openshift/cmd/gendocs openshift/cmd/genman openshift/cmd/genyaml openshift/cmd/kubectl openshift/cmd/kubectl-convert openshift-clients/cmd/oc openshift-clients/tools/clicheck openshift-clients/tools/gendocs openshift-clients/tools/genman The majority of these are all short lived, client side programs. A crash/panic in client side programs has minimal security impact. The only Go binary from the above list that is executed as a long lived server side process is openshift-enterprise-console-container/cmd/bridge, which is the main binary for the openshift web console. However, this only includes archive/zip via the GetAndExtractZip function in the vendor/github.com/devfile/library directory, which is entirely unused. Thus the impact for all OpenShift components that include archive/zip is Low.
Upstream patch: https://github.com/golang/go/commit/74242baa4136c7a9132a8ccd9881354442788c8c
While all OpenShift Service Mesh components affected include the vulnerable code, only servicemesh and servicemesh-grafana actually include usage of the affected code in zip.NewReader(). Thus, the impact level for servicemesh-operator and servicemesh-prometheus has been set to Low.
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:2634 https://access.redhat.com/errata/RHSA-2021:2634
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33196
This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:2704 https://access.redhat.com/errata/RHSA-2021:2704
This issue has been addressed in the following products: Openshift Serveless 1.16 Via RHSA-2021:2705 https://access.redhat.com/errata/RHSA-2021:2705
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3076 https://access.redhat.com/errata/RHSA-2021:3076
This issue has been addressed in the following products: Red Hat OpenShift Jaeger 1.20 Via RHSA-2021:3229 https://access.redhat.com/errata/RHSA-2021:3229
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.5 Via RHSA-2021:3361 https://access.redhat.com/errata/RHSA-2021:3361
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3758 https://access.redhat.com/errata/RHSA-2021:3758