Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD910928648A66660B4EF26E5685D05C7C8D269DFFB0ACC4D4B2EDAFF261E4D46
HistoryJun 24, 2021 - 1:10 p.m.

Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-27918 and CVE-2021-27919)

2021-06-2413:10:56
www.ibm.com
11

0.001 Low

EPSS

Percentile

40.2%

JSON

Summary

Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-27918 and CVE-2021-27919) with details of each below.

Vulnerability Details

CVEID:CVE-2021-27918
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an infinite loop flaw when using xml.NewTokenDecoder with a custom TokenReader. By persuading a victim to open a specially-crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198075 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-27919
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the Reader.Open API when use a ZIP archive containing files start with “…/”. By persuading a victim to open a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198076 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Operations Dashboard

2020.4.1-0-eus
2020.4.1-1-eus
2021.1.1

Remediation/Fixes

Operations Dashboard version 2020.4.1 in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2020.4.1-2-eus using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=components-upgrading-operations-dashboard&gt;

Operations Dashboard version 2021.1.1 in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2021.2.1 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.2?topic=runtimes-upgrading-transaction-tracing-troubleshooting&gt;

Workarounds and Mitigations

None

Related

openvas 10
nessus 24
freebsd 1
altlinux 2
ibm 15
osv 7
cvelist 3
veracode 2
nvd 3
redhatcve 4
ubuntucve 2
debiancve 2
prion 3
cve 3
alpinelinux 2
oraclelinux 3
suse 1
cbl_mariner 1
fedora 2
photon 5
redhat 5
rocky 1
almalinux 1
amazon 3
mageia 1
gentoo 1
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2021:0937-1)
2021-06-09 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2021-2061)
2021-07-01 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:0938-1)
2021-04-19 00:00:00
nessus
nessus
SUSE SLED15 / SLES15 Security Update : go1.16 (SUSE-SU-2021:0937-1)
2021-03-26 00:00:00
FreeBSD : go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open (72709326-81f7-11eb-950a-00155d646401)
2021-03-11 00:00:00
Oracle Linux 8 : olcne (ELSA-2021-9267)
2021-05-29 00:00:00
freebsd
freebsd
go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open
2021-03-05 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.16.1-alt1
2021-03-11 00:00:00
Security fix for the ALT Linux 9 package golang version 1.15.9-alt1
2021-03-11 00:00:00
ibm
ibm
Security Bulletin: IBM Cloud Private is vulnerable to a Go vulnerability (CVE-2021-27919, CVE-2021-27918)
2021-09-03 13:39:16
Security Bulletin: IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-27919)
2021-08-16 23:03:41
Security Bulletin: IBM CICS TX Standard is vulnerable to a denial of service, caused by an infinite loop flaw in Golang Go (CVE-2021-27918).
2023-02-14 21:14:53
osv
osv
Panic when opening archives in archive/zip
2021-04-14 20:04:52
BIT-golang-2021-27919
2024-03-06 11:06:19
CVE-2021-27919
2021-03-11 00:15:12
cvelist
cvelist
CVE-2021-27919
2021-03-11 00:00:13
CVE-2021-27918
2021-03-10 23:54:43
CVE-2021-3703
2022-08-26 15:25:40
veracode
veracode
Denial Of Service (DoS)
2021-03-11 03:11:01
Denial Of Service (DoS)
2021-03-11 04:13:55
nvd
nvd
CVE-2021-27919
2021-03-11 00:15:12
CVE-2021-27918
2021-03-11 00:15:12
CVE-2021-3703
2022-08-26 16:15:09
redhatcve
redhatcve
CVE-2021-27919
2021-03-11 18:04:05
CVE-2021-27918
2021-03-11 18:04:02
CVE-2021-3724
2021-08-19 07:33:26
ubuntucve
ubuntucve
CVE-2021-27919
2021-03-11 00:00:00
CVE-2021-27918
2021-03-11 00:00:00
debiancve
debiancve
CVE-2021-27919
2021-03-11 00:15:12
CVE-2021-27918
2021-03-11 00:15:12
prion
prion
Design/Logic Flaw
2021-03-11 00:15:00
Design/Logic Flaw
2021-03-11 00:15:00
Design/Logic Flaw
2022-08-26 16:15:00
cve
cve
CVE-2021-27919
2021-03-11 00:15:12
CVE-2021-27918
2021-03-11 00:15:12
CVE-2021-3703
2022-08-26 16:15:09
alpinelinux
alpinelinux
CVE-2021-27919
2021-03-11 00:15:12
CVE-2021-27918
2021-03-11 00:15:12
oraclelinux
oraclelinux
olcne security update
2021-05-29 00:00:00
olcne security update
2021-05-29 00:00:00
go-toolset:ol8 security, bug fix, and enhancement update
2021-08-12 00:00:00
suse
suse
Security update for go1.15 (moderate)
2021-03-27 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-27918 affecting package golang 1.15.7-1
2021-07-08 21:56:48
fedora
fedora
[SECURITY] Fedora 34 Update: golang-1.16.8-1.fc34
2021-09-22 16:30:52
[SECURITY] Fedora 35 Update: golang-1.16.8-2.fc35
2021-09-24 20:54:01
photon
photon
Important Photon OS Security Update - PHSA-2021-0013
2021-04-22 00:00:00
Important Photon OS Security Update - PHSA-2021-4.0-0013
2021-04-22 00:00:00
Important Photon OS Security Update - PHSA-2021-0248
2021-06-04 00:00:00
redhat
redhat
(RHSA-2021:2704) Moderate: Release of OpenShift Serverless Client kn 1.16.0
2021-07-13 16:30:23
(RHSA-2021:3076) Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-08-10 12:00:58
(RHSA-2021:3555) Moderate: Release of OpenShift Serverless Client kn 1.17.0
2021-09-16 15:05:22
rocky
rocky
go-toolset:rhel8 security, bug fix, and enhancement update
2021-08-10 12:00:58
almalinux
almalinux
Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-08-10 12:00:58
amazon
amazon
Important: golang
2022-04-25 15:59:00
Important: golang
2022-07-28 21:55:00
Important: golang
2022-09-15 03:57:00
mageia
mageia
Updated golang packages fix security vulnerabilities
2021-07-25 11:34:17
gentoo
gentoo
Go: Multiple Vulnerabilities
2022-08-04 00:00:00

0.001 Low

EPSS

Percentile

40.2%

JSON
Related for D910928648A66660B4EF26E5685D05C7C8D269DFFB0ACC4D4B2EDAFF261E4D46
openvas10nessus24freebsd1altlinux2ibm15osv7cvelist3veracode2nvd3redhatcve4ubuntucve2debiancve2prion3cve3alpinelinux2oraclelinux3suse1cbl_mariner1fedora2photon5redhat5rocky1almalinux1amazon3mageia1gentoo1