Vulnerability-Lookup

RHSA-2021_3119

Vulnerability from csaf_redhat - Published: 2021-08-10 17:32 - Updated: 2024-11-22 16:37

Summary

Red Hat Security Advisory: OpenShift Virtualization 2.6.6 Images security and bug fix update

Severity

Moderate

Notes

Topic: Red Hat OpenShift Virtualization release 2.6.6 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization <version_number> images: RHEL-8-CNV-2.6 hostpath-provisioner-container-v2.6.6-3 vm-import-controller-container-v2.6.6-5 vm-import-virtv2v-container-v2.6.6-5 vm-import-operator-container-v2.6.6-5 virt-cdi-apiserver-container-v2.6.6-4 virt-cdi-controller-container-v2.6.6-4 virt-cdi-cloner-container-v2.6.6-4 virt-cdi-importer-container-v2.6.6-4 virt-cdi-uploadserver-container-v2.6.6-4 virt-cdi-uploadproxy-container-v2.6.6-4 virt-cdi-operator-container-v2.6.6-4 ovs-cni-marker-container-v2.6.6-5 kubevirt-ssp-operator-container-v2.6.6-5 kubemacpool-container-v2.6.6-7 kubevirt-vmware-container-v2.6.6-4 kubevirt-kvm-info-nfd-plugin-container-v2.6.6-4 kubevirt-cpu-model-nfd-plugin-container-v2.6.6-4 kubevirt-cpu-node-labeller-container-v2.6.6-4 virtio-win-container-v2.6.6-4 kubevirt-template-validator-container-v2.6.6-4 cnv-containernetworking-plugins-container-v2.6.6-4 node-maintenance-operator-container-v2.6.6-4 kubevirt-v2v-conversion-container-v2.6.6-4 cluster-network-addons-operator-container-v2.6.6-4 ovs-cni-plugin-container-v2.6.6-4 bridge-marker-container-v2.6.6-4 kubernetes-nmstate-handler-container-v2.6.6-7 hyperconverged-cluster-webhook-container-v2.6.6-4 cnv-must-gather-container-v2.6.6-16 hyperconverged-cluster-operator-container-v2.6.6-4 virt-launcher-container-v2.6.6-7 hostpath-provisioner-operator-container-v2.6.6-5 virt-api-container-v2.6.6-7 virt-handler-container-v2.6.6-7 virt-controller-container-v2.6.6-7 virt-operator-container-v2.6.6-7 hco-bundle-registry-container-v2.6.6-70 Security Fix(es): * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2021-3114

A flaw detected in golang: crypto/elliptic, in which P-224 keys as generated can return incorrect inputs, reducing the strength of the cryptography. The highest threat from this vulnerability is confidentiality and integrity.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-682 - Incorrect Calculation

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2021:3119

References

URL

Category

	https://access.redhat.com/errata/RHSA-2021:3119	self
	https://access.redhat.com/security/updates/classi…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1918750	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1945703	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1958816	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1963275	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1965099	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1965181	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1967086	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1967887	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1969756	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1970372	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1973227	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1974084	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1975212	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1975727	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1977756	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1982760	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1986989	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2021-3114	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1918750	external
	https://www.cve.org/CVERecord?id=CVE-2021-3114	external
	https://nvd.nist.gov/vuln/detail/CVE-2021-3114	external
	https://groups.google.com/g/golang-announce/c/mpe…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat OpenShift Virtualization release 2.6.6 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenShift Virtualization is Red Hat\u0027s virtualization solution designed for Red Hat OpenShift Container Platform.\n\nThis advisory contains the following OpenShift Virtualization \u003cversion_number\u003e images:\n\nRHEL-8-CNV-2.6\n\nhostpath-provisioner-container-v2.6.6-3\nvm-import-controller-container-v2.6.6-5\nvm-import-virtv2v-container-v2.6.6-5\nvm-import-operator-container-v2.6.6-5\nvirt-cdi-apiserver-container-v2.6.6-4\nvirt-cdi-controller-container-v2.6.6-4\nvirt-cdi-cloner-container-v2.6.6-4\nvirt-cdi-importer-container-v2.6.6-4\nvirt-cdi-uploadserver-container-v2.6.6-4\nvirt-cdi-uploadproxy-container-v2.6.6-4\nvirt-cdi-operator-container-v2.6.6-4\novs-cni-marker-container-v2.6.6-5\nkubevirt-ssp-operator-container-v2.6.6-5\nkubemacpool-container-v2.6.6-7\nkubevirt-vmware-container-v2.6.6-4\nkubevirt-kvm-info-nfd-plugin-container-v2.6.6-4\nkubevirt-cpu-model-nfd-plugin-container-v2.6.6-4\nkubevirt-cpu-node-labeller-container-v2.6.6-4\nvirtio-win-container-v2.6.6-4\nkubevirt-template-validator-container-v2.6.6-4\ncnv-containernetworking-plugins-container-v2.6.6-4\nnode-maintenance-operator-container-v2.6.6-4\nkubevirt-v2v-conversion-container-v2.6.6-4\ncluster-network-addons-operator-container-v2.6.6-4\novs-cni-plugin-container-v2.6.6-4\nbridge-marker-container-v2.6.6-4\nkubernetes-nmstate-handler-container-v2.6.6-7\nhyperconverged-cluster-webhook-container-v2.6.6-4\ncnv-must-gather-container-v2.6.6-16\nhyperconverged-cluster-operator-container-v2.6.6-4\nvirt-launcher-container-v2.6.6-7\nhostpath-provisioner-operator-container-v2.6.6-5\nvirt-api-container-v2.6.6-7\nvirt-handler-container-v2.6.6-7\nvirt-controller-container-v2.6.6-7\nvirt-operator-container-v2.6.6-7\nhco-bundle-registry-container-v2.6.6-70\n\nSecurity Fix(es):\n\n* golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2021:3119",
        "url": "https://access.redhat.com/errata/RHSA-2021:3119"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1918750",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1918750"
      },
      {
        "category": "external",
        "summary": "1945703",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945703"
      },
      {
        "category": "external",
        "summary": "1958816",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1958816"
      },
      {
        "category": "external",
        "summary": "1963275",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1963275"
      },
      {
        "category": "external",
        "summary": "1965099",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965099"
      },
      {
        "category": "external",
        "summary": "1965181",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965181"
      },
      {
        "category": "external",
        "summary": "1967086",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967086"
      },
      {
        "category": "external",
        "summary": "1967887",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967887"
      },
      {
        "category": "external",
        "summary": "1969756",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969756"
      },
      {
        "category": "external",
        "summary": "1970372",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970372"
      },
      {
        "category": "external",
        "summary": "1973227",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1973227"
      },
      {
        "category": "external",
        "summary": "1974084",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974084"
      },
      {
        "category": "external",
        "summary": "1975212",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975212"
      },
      {
        "category": "external",
        "summary": "1975727",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975727"
      },
      {
        "category": "external",
        "summary": "1977756",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977756"
      },
      {
        "category": "external",
        "summary": "1982760",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1982760"
      },
      {
        "category": "external",
        "summary": "1986989",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1986989"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3119.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenShift Virtualization 2.6.6 Images security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-22T16:37:27+00:00",
      "generator": {
        "date": "2024-11-22T16:37:27+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2021:3119",
      "initial_release_date": "2021-08-10T17:32:31+00:00",
      "revision_history": [
        {
          "date": "2021-08-10T17:32:31+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2021-08-10T17:32:31+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T16:37:27+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "CNV 2.6 for RHEL 8",
                "product": {
                  "name": "CNV 2.6 for RHEL 8",
                  "product_id": "8Base-CNV-2.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Virtualization"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814_amd64",
                  "product_id": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-cpu-model-nfd-plugin\u0026tag=v2.6.6-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486_amd64",
                  "product_id": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-cpu-node-labeller\u0026tag=v2.6.6-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2_amd64",
                  "product_id": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-kvm-info-nfd-plugin\u0026tag=v2.6.6-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
                "product": {
                  "name": "container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
                  "product_id": "container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/vm-import-controller\u0026tag=v2.6.6-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
                "product": {
                  "name": "container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
                  "product_id": "container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/vm-import-controller-rhel8\u0026tag=v2.6.6-5"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814_amd64 as a component of CNV 2.6 for RHEL 8",
          "product_id": "8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814_amd64",
        "relates_to_product_reference": "8Base-CNV-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486_amd64 as a component of CNV 2.6 for RHEL 8",
          "product_id": "8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486_amd64",
        "relates_to_product_reference": "8Base-CNV-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2_amd64 as a component of CNV 2.6 for RHEL 8",
          "product_id": "8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2_amd64",
        "relates_to_product_reference": "8Base-CNV-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64 as a component of CNV 2.6 for RHEL 8",
          "product_id": "8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64"
        },
        "product_reference": "container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
        "relates_to_product_reference": "8Base-CNV-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64 as a component of CNV 2.6 for RHEL 8",
          "product_id": "8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64"
        },
        "product_reference": "container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
        "relates_to_product_reference": "8Base-CNV-2.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-3114",
      "cwe": {
        "id": "CWE-682",
        "name": "Incorrect Calculation"
      },
      "discovery_date": "2021-01-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814_amd64",
            "8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486_amd64",
            "8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1918750"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw detected in golang: crypto/elliptic, in which P-224 keys as generated can return incorrect inputs, reducing the strength of the cryptography. The highest threat from this vulnerability is confidentiality and integrity.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: crypto/elliptic: incorrect operations on the P-224 curve",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift ServiceMesh (OSSM) 1.1 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
          "8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64"
        ],
        "known_not_affected": [
          "8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-model-nfd-plugin@sha256:5593425a63c318702819d74e8f7580c1d548a0d52b65dcf02f5b0b732657d814_amd64",
          "8Base-CNV-2.6:container-native-virtualization/kubevirt-cpu-node-labeller@sha256:0342c4d29f3c02c9978121c06e1d480bd80dce180330382ee96b9b5471032486_amd64",
          "8Base-CNV-2.6:container-native-virtualization/kubevirt-kvm-info-nfd-plugin@sha256:6727c0d24258c82e2fbd01b9c68d3c24931fc1c3a82ff24512d4f004173d76b2_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-3114"
        },
        {
          "category": "external",
          "summary": "RHBZ#1918750",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1918750"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3114",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3114"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3114",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3114"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/mperVMGa98w",
          "url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
        }
      ],
      "release_date": "2021-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2021-08-10T17:32:31+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
            "8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2021:3119"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-CNV-2.6:container-native-virtualization/vm-import-controller-rhel8@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64",
            "8Base-CNV-2.6:container-native-virtualization/vm-import-controller@sha256:63f2ccca381bdba807a5bed1ad3bcd7789178ce35f3aa57096f987e1a71b7a2d_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: crypto/elliptic: incorrect operations on the P-224 curve"
    }
  ]
}

CVE-2021-3114 (GCVE-0-2021-3114)

Vulnerability from cvelistv5 – Published: 2021-01-26 02:23 – Updated: 2024-08-03 16:45

Summary

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://groups.google.com/g/golang-announce/c/mpe…	x_refsource_CONFIRM
	https://github.com/golang/go/commit/d95ca9138026c…	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://www.debian.org/security/2021/dsa-4848	vendor-advisoryx_refsource_DEBIAN
	https://security.netapp.com/advisory/ntap-2021021…	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST
	https://security.gentoo.org/glsa/202208-02	vendor-advisoryx_refsource_GENTOO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:45:51.301Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871"
          },
          {
            "name": "FEDORA-2021-e435a8bb88",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
          },
          {
            "name": "DSA-4848",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4848"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
          },
          {
            "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
          },
          {
            "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
          },
          {
            "name": "GLSA-202208-02",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-04T15:06:51.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871"
        },
        {
          "name": "FEDORA-2021-e435a8bb88",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
        },
        {
          "name": "DSA-4848",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4848"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
        },
        {
          "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
        },
        {
          "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
        },
        {
          "name": "GLSA-202208-02",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-02"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-3114",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/g/golang-announce/c/mperVMGa98w",
              "refsource": "CONFIRM",
              "url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
            },
            {
              "name": "https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871",
              "refsource": "CONFIRM",
              "url": "https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871"
            },
            {
              "name": "FEDORA-2021-e435a8bb88",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
            },
            {
              "name": "DSA-4848",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4848"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210219-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
            },
            {
              "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
            },
            {
              "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
            },
            {
              "name": "GLSA-202208-02",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-3114",
    "datePublished": "2021-01-26T02:23:18.000Z",
    "dateReserved": "2021-01-11T00:00:00.000Z",
    "dateUpdated": "2024-08-03T16:45:51.301Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2021_3119

CVE-2021-3114 (GCVE-0-2021-3114)

Tags

Sightings

Nomenclature