CVE-2021-3114: Medium severity IBM Cloud Pak for Security vulnerability

Q: What is CVE-2021-3114?

CVE-2021-3114 is an unspecified error with the P224() Curve implementation in Golang.

Q: What is the severity of CVE-2021-3114?

CVE-2021-3114 has a severity score of 6.5 (Medium).

Q: Which software is affected by CVE-2021-3114?

The affected software includes Golang versions 1.11, 1.15, and Red Hat Go.

Q: How can I fix CVE-2021-3114?

To fix CVE-2021-3114, update your Golang installation to the recommended versions or apply the provided patches.

Q: What is the impact of CVE-2021-3114?

The highest threat from CVE-2021-3114 is to confidentiality and integrity.

Published Jan 20, 2021

Updated

A flaw detected in golang: crypto/elliptic, in which P-224 keys as generated can return incorrect inputs, reducing the strength of the cryptography. The highest threat from this vulnerability is confidentiality and integrity.

Other sources

An unspecified error with the P224() Curve implementation can generate incorrect outputs in Golang Go has an unknown impact and attack vector.

— IBM

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

— Red Hat

Affected Software

26 affected componentsFixes available

debian/golang-1.11

1.11.6-1+deb10u41.11.6-1+deb10u7

debian/golang-1.15

1.15.15-1~deb11u4

redhat/heketi<0:10.4.0-2.el7

0:10.4.0-2.el7

redhat/openshift-serverless-clients<0:0.20.0-6.el8

0:0.20.0-6.el8

redhat/openshift-serverless-clients<0:0.20.0-7.el8

0:0.20.0-7.el8

redhat/grafana<0:7.5.9-4.el8

0:7.5.9-4.el8

redhat/ignition<0:2.6.0-7.rhaos4.6.git947598e.el8

0:2.6.0-7.rhaos4.6.git947598e.el8

redhat/openshift<0:4.7.0-202103181538.p0.git.97109.7576cdc.el7

0:4.7.0-202103181538.p0.git.97109.7576cdc.el7

redhat/openshift-clients<0:4.7.0-202103191426.p0.git.3953.f3a7513.el7

0:4.7.0-202103191426.p0.git.3953.f3a7513.el7

redhat/cri-o<0:1.20.2-4.rhaos4.7.gitd5a999a.el8

0:1.20.2-4.rhaos4.7.gitd5a999a.el8

redhat/cri-tools<0:1.20.0-2.el8

0:1.20.0-2.el8

redhat/runc<0:1.0.0-95.rhaos4.8.gitcd80260.el8

0:1.0.0-95.rhaos4.8.gitcd80260.el8

redhat/golang-github-prometheus-promu<0:0.5.0-3.git642a960.el8

0:0.5.0-3.git642a960.el8

redhat/ignition<0:2.9.0-6.rhaos4.8.el8

0:2.9.0-6.rhaos4.8.el8

redhat/kubevirt<0:4.9.0-287.el8

0:4.9.0-287.el8

redhat/go<1.15.7

1.15.7

redhat/go<1.14.14

1.14.14

IBM Cloud Pak for Security<=1.10.0.0 - 1.10.11.0

IBM QRadar Suite Software<=1.10.12.0 - 1.10.16.0

Golang Go<1.14.14

Golang Go>=1.15<1.15.7

Fedoraproject Fedora=33

Debian Debian Linux=9.0

Debian Debian Linux=10.0

NetApp Cloud Insights Telegraf Agent

NetApp Storagegrid

Remediation

Patch Available

https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871

Event History

Jan 20, 2021

CVE Published

12:00 AM

Jan 21, 2021

Data Sourced

via Red Hat·02:01 PM

DescriptionSeverityAffected Software

Jan 26, 2021

CVE Published

via MITRE·02:23 AM

Data Sourced

via MITRE·02:23 AM

Description

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is CVE-2021-3114?

CVE-2021-3114 is an unspecified error with the P224() Curve implementation in Golang.

What is the severity of CVE-2021-3114?