Bug 1193930 - (CVE-2021-43565) VUL-0: CVE-2021-43565: kubernetes,docker,kubernetes-1.18,kubevirt: golang.org/x/crypto: empty plaintext packet causes panic
(CVE-2021-43565)
VUL-0: CVE-2021-43565: kubernetes,docker,kubernetes-1.18,kubevirt: golang.org...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/317009/
CVSSv3.1:SUSE:CVE-2021-43565:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-20 16:57 UTC by Carlos López
Modified: 2022-05-16 16:18 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2021-12-20 16:57:22 UTC
rh#2030787

Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers.

Reference:
https://github.com/golang/go/issues/49932

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2030787
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43565
Comment 1 Carlos López 2021-12-20 16:57:53 UTC
This vulnerability affects golang-org-x-crypto, which we do not ship directly, but certain packages bundle it. Listing below the codestreams for which packages embed the vulnerable code.

docker:
 - SUSE:SLE-12:Update
 - SUSE:SLE-15:Update
 - openSUSE:Factory

kubernetes:
 - SUSE:SLE-12:Update
 - SUSE:SLE-15-SP1:Update:Products:CASP40:Update

kubernetes-1.18:
 - SUSE:SLE-15-SP2:Update:Products:CaaSP:4.5:Update

buildkit:
 - openSUSE:Factory

lxd:
 - openSUSE:Backports:SLE-15-SP2:Update
 - openSUSE:Backports:SLE-15-SP3:Update

kubevirt:
 - SUSE:SLE-15-SP2:Update
 - SUSE:SLE-15-SP3:Update
 - openSUSE:Factory

I could not find other packages that embed the vulnerable code.

Upstream fix:
https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083
Comment 7 Swamp Workflow Management 2022-01-10 14:17:17 UTC
SUSE-SU-2022:0040-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1190587,1190839,1193930
CVE References: CVE-2021-43565
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    kubevirt-0.45.0-8.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-01-10 14:21:06 UTC
openSUSE-SU-2022:0040-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1190587,1190839,1193930
CVE References: CVE-2021-43565
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kubevirt-0.45.0-8.7.1
Comment 10 Swamp Workflow Management 2022-01-19 20:27:11 UTC
SUSE-SU-2022:0130-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193930
CVE References: CVE-2021-43565
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    kubevirt-0.40.0-5.17.2
SUSE Manager Retail Branch Server 4.1 (src):    kubevirt-0.40.0-5.17.2
SUSE Manager Proxy 4.1 (src):    kubevirt-0.40.0-5.17.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kubevirt-0.40.0-5.17.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kubevirt-0.40.0-5.17.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kubevirt-0.40.0-5.17.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kubevirt-0.40.0-5.17.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kubevirt-0.40.0-5.17.2
SUSE Enterprise Storage 7 (src):    kubevirt-0.40.0-5.17.2
SUSE CaaS Platform 4.5 (src):    kubevirt-0.40.0-5.17.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-02-17 14:18:41 UTC
openSUSE-SU-2022:0040-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1190587,1190839,1193662,1193930,1194842,1194843,1194844
CVE References: CVE-2021-4104,CVE-2021-43565,CVE-2022-23302,CVE-2022-23305,CVE-2022-23307
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kubevirt-0.45.0-8.7.1
openSUSE Backports SLE-15-SP2 (src):    kafka-2.1.0-bp152.2.3.1, kafka-kit-2.1.0-bp152.2.3.1
Comment 12 Marcus Meissner 2022-04-04 11:34:13 UTC
still missing updates for docker and kubernetes
Comment 13 Thomas Leroy 2022-04-19 10:04:50 UTC
Any update on this issue for docker and kubernetes? We currently have SR#269947 and SR#269948 to bump docker, but from what I see, the golang.org/x/crypto used to compile docker is commit c1f2f97bffc9c53fc40a1a28a5b460094c0050d9, which I think is still vulnerable to this issue... Could you please submit a fix for docker and k8 for this issue? :)
Comment 15 Aleksa Sarai 2022-04-30 01:48:06 UTC
(In reply to Thomas Leroy from comment #13)
> Any update on this issue for docker and kubernetes? We currently have
> SR#269947 and SR#269948 to bump docker, but from what I see, the
> golang.org/x/crypto used to compile docker is commit
> c1f2f97bffc9c53fc40a1a28a5b460094c0050d9, which I think is still vulnerable
> to this issue... Could you please submit a fix for docker and k8 for this
> issue? :)

It seems that Docker felt that the issue didn't affect them because while they have updated the version used in the main branch[1], the release branches didn't get updated.

I've sent MRs with a manual update to golang.org/x/crypto.

[1]: https://github.com/moby/moby/commit/917b44799d9a51da9c7a4fa92dfaf1df9cc06648
Comment 16 Swamp Workflow Management 2022-05-03 19:23:59 UTC
SUSE-SU-2022:1507-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192814,1193273,1193930,1196441,1197284,1197517
CVE References: CVE-2021-41190,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.5.11-16.57.1, docker-20.10.14_ce-98.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-05-16 16:18:37 UTC
SUSE-SU-2022:1689-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1193930,1196441,1197284,1197517
CVE References: CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1, docker-kubic-20.10.14_ce-150000.163.1
openSUSE Leap 15.3 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1, docker-kubic-20.10.14_ce-150000.163.1
SUSE Manager Server 4.1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Manager Retail Branch Server 4.1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Manager Proxy 4.1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server for SAP 15 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    containerd-1.5.11-150000.68.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Micro 5.2 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Micro 5.1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Micro 5.0 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Enterprise Storage 7 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Enterprise Storage 6 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE CaaS Platform 4.0 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.