Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF093A08993AEB53C8D5F6F2FE220825F9FC675CC904F54B3FE037444F61A7876
HistoryMar 16, 2022 - 2:27 a.m.

Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717)

2022-03-1602:27:54
www.ibm.com
21

0.003 Low

EPSS

Percentile

69.5%

JSON

Summary

The IBM Spectrum Protect Server might be affected by vulnerabilties in IBM® Runtime Environment Java™ and Golang Go such as denial of service and bypassing security restrictions. The Java vulnerability was disclosed as part of the IBM Java SDK updates in October 2021. UPDATED: March 14, 2022 - The fixing level for these CVEs has been changed to 8.1.14.100.

Vulnerability Details

CVEID:CVE-2021-35578
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2021-44716
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled memory consumption in the header canonicalization cache in net/http. By sending HTTP/2 requests, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216553 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-44717
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by an error in the syscall.ForkExec() interface. By causing the erroneous closing of file descriptor 0 after file-descriptor exhaustion, an attacker could exploit this vulnerability to compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec().
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216563 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Protect Server

8.1.0.000-8.1.13.xxx (Java CVE)
8.1.7.000-8.1.13.xxx (Golang Go CVEs)

Remediation/Fixes

_IBM Spectrum Protect Operations Center Affected Versions
_|Fixing
Level|Platform|_Link to Fix and Instructions
_
—|—|—|—
8.1.0.000-8.1.13.xxx (Java CVE)
8.1.7.000-8.1.13.xxx (Go CVEs)| 8.1.14.100| AIX
Linux
Windows| http://www.ibm.com/support/pages/node/6562367

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm spectrum protecteq8.1

Related

nessus 35
oraclelinux 2
almalinux 2
altlinux 1
osv 15
openvas 19
fedora 4
freebsd 1
suse 3
mageia 1
ibm 31
rocky 2
redhat 15
veracode 3
nvd 4
debiancve 3
redhatcve 4
alpinelinux 3
cbl_mariner 24
ubuntucve 4
cve 4
cvelist 4
prion 3
github 2
photon 2
gitlab 1
broadcom 1
cnvd 1
debian 2
amazon 1
vulnrichment 1
ics 1
nessus
nessus
FreeBSD : go -- multiple vulnerabilities (720505fe-593f-11ec-9ba8-002324b2fba8)
2021-12-13 00:00:00
SUSE SLED15 / SLES15 Security Update : go1.16 (SUSE-SU-2021:4169-1)
2021-12-25 00:00:00
RHEL 8 : go-toolset:rhel8 (RHSA-2021:5160)
2021-12-15 00:00:00
oraclelinux
oraclelinux
go-toolset:ol8 security and bug fix update
2021-12-16 00:00:00
grafana security update
2022-01-04 00:00:00
almalinux
almalinux
Important: go-toolset:rhel8 security and bug fix update
2021-12-15 16:11:05
Important: grafana security update
2022-01-03 07:30:31
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.17.5-alt1
2021-12-09 00:00:00
osv
osv
Important: go-toolset:rhel8 security and bug fix update
2021-12-15 16:11:05
Important: go-toolset:rhel8 security and bug fix update
2021-12-15 16:11:05
Misdirected I/O in syscall
2022-05-18 18:23:23
openvas
openvas
Fedora: Security Advisory for golang (FEDORA-2021-29943703de)
2022-01-01 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2022-1487)
2022-04-20 00:00:00
openSUSE: Security Advisory for go1.16 (openSUSE-SU-2021:1626-1)
2022-02-01 00:00:00
fedora
fedora
[SECURITY] Fedora 34 Update: golang-1.16.12-1.fc34
2021-12-30 01:43:52
[SECURITY] Fedora 35 Update: golang-1.16.12-1.fc35
2021-12-30 01:19:52
[SECURITY] Fedora 34 Update: grafana-7.5.11-3.fc34
2022-01-27 19:38:51
freebsd
freebsd
go -- multiple vulnerabilities
2021-12-08 00:00:00
suse
suse
Security update for go1.16 (moderate)
2021-12-23 00:00:00
Security update for go1.17 (moderate)
2021-12-23 00:00:00
Security update for go1.16 (moderate)
2021-12-26 00:00:00
mageia
mageia
Updated golang packages fix security vulnerability
2021-12-26 03:14:13
ibm
ibm
Security Bulletin: Security Vulnerabilities affect IBM Cloud Private - Golang (CVE-2021-44716, CVE-2021-44717)
2022-04-22 20:46:15
Security Bulletin: IBM DataPower Gateway Operand affected by vulnerabilities in Go (CVE-2021-44716, CVE-2021-44717)
2022-05-23 19:55:40
Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote attack due to Go CVE-2021-44717
2022-05-05 15:02:02
rocky
rocky
go-toolset:rhel8 security and bug fix update
2021-12-15 16:11:05
grafana security update
2022-01-03 07:30:31
redhat
redhat
(RHSA-2021:5160) Important: go-toolset:rhel8 security and bug fix update
2021-12-15 16:11:05
(RHSA-2022:0927) Moderate: OpenShift Container Platform 4.10.5 packages and security update
2022-03-21 11:55:47
(RHSA-2022:1056) Moderate: Release of OpenShift Serverless Client kn 1.21.0
2022-03-24 15:02:11
veracode
veracode
Invalid I/O Calculation
2021-12-14 20:52:34
Denial Of Service (DoS)
2021-12-14 20:52:35
Improper Input Validation
2021-10-26 21:55:43
nvd
nvd
CVE-2021-44717
2022-01-01 05:15:08
CVE-2021-44716
2022-01-01 05:15:08
CVE-2021-35578
2021-10-20 11:16:55
debiancve
debiancve
CVE-2021-44717
2022-01-01 05:15:08
CVE-2021-44716
2022-01-01 05:15:08
CVE-2021-35578
2021-10-20 11:16:55
redhatcve
redhatcve
CVE-2021-44716
2022-05-07 14:12:12
CVE-2021-44717
2022-05-07 14:09:50
CVE-2021-35578
2021-10-19 21:25:44
alpinelinux
alpinelinux
CVE-2021-44716
2022-01-01 05:15:08
CVE-2021-44717
2022-01-01 05:15:08
CVE-2021-35578
2021-10-20 11:16:55
cbl_mariner
cbl_mariner
CVE-2021-44716 affecting package git-lfs for versions less than 3.1.4-17
2024-02-14 17:05:34
CVE-2021-44716 affecting package csi-driver-lvm for versions less than 0.4.1-15
2024-02-14 17:05:34
CVE-2021-44716 affecting package application-gateway-kubernetes-ingress for versions less than 1.4.0-19
2024-02-14 17:05:34
ubuntucve
ubuntucve
CVE-2021-44717
2022-01-01 00:00:00
CVE-2021-44716
2022-01-01 00:00:00
CVE-2021-35578
2021-10-20 00:00:00
cve
cve
CVE-2021-44717
2022-01-01 05:15:08
CVE-2021-44716
2022-01-01 05:15:08
CVE-2021-35578
2021-10-20 11:16:55
cvelist
cvelist
CVE-2021-44717
2022-01-01 00:00:00
CVE-2021-44716
2022-01-01 00:00:00
CVE-2021-35578
2021-10-20 10:50:24
prion
prion
Code injection
2022-01-01 05:15:00
Design/Logic Flaw
2022-01-01 05:15:00
Code injection
2021-10-20 11:16:00
github
github
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
2022-01-12 22:33:04
golang.org/x/net/http2 allows uncontrolled memory consumption
2022-01-02 00:00:48
photon
photon
Important Photon OS Security Update - PHSA-2022-0154
2022-02-07 00:00:00
Important Photon OS Security Update - PHSA-2022-0440
2022-02-07 00:00:00
gitlab
gitlab
Uncontrolled Resource Consumption
2022-01-02 00:00:00
broadcom
broadcom
BSA-2022-1689
2022-07-29 00:00:00
cnvd
cnvd
Oracle Java SE and Oracle GraalVM Enterprise Edition Denial of Service Vulnerability (CNVD-2021-81805)
2021-10-20 00:00:00
debian
debian
[SECURITY] [DLA 2892-1] golang-1.7 security update
2022-01-21 22:02:47
[SECURITY] [DLA 2891-1] golang-1.8 security update
2022-01-21 22:02:40
amazon
amazon
Important: golang
2022-04-25 15:59:00
vulnrichment
vulnrichment
CVE-2024-4437 Etcd: incomplete fix for cve-2021-44716 in openstack platform
2024-05-08 08:57:40
ics
ics
Siemens Brownfield Connectivity Gateway
2023-02-16 12:00:00

0.003 Low

EPSS

Percentile

69.5%

JSON
Related for F093A08993AEB53C8D5F6F2FE220825F9FC675CC904F54B3FE037444F61A7876
nessus35oraclelinux2almalinux2altlinux1osv15openvas19fedora4freebsd1suse3mageia1ibm31rocky2redhat15veracode3nvd4debiancve3redhatcve4alpinelinux3cbl_mariner24ubuntucve4cve4cvelist4prion3github2photon2gitlab1broadcom1cnvd1debian2amazon1vulnrichment1ics1