Impact of CVE-2021-44716 and CVE-2021-44717 on Mender

As always I’d like to ask you guys of you see these two beauties as a threat for Yocto Dunfell installations. Thanks!

[1] NVD - CVE-2021-44716
[2] NVD - CVE-2021-44717

I think affected, but the impact is likely to be low. You’d need to have complete control of the server, as well as its private key, in order to send arbitrary headers to the clients.

Affected, and this one can in theory be exploited. You’d need access to the device in some way that allows you to increase the number of file descriptors used. There are many ways that this could happen.

There is a related fix in the client, which doesn’t fix the issue, but mitigates it. This is scheduled for release on all the currently supported versions of the client, 2.5.4, 3.0.2 and 3.1.1, which are all about to be released.

The Golang issue should be reported on the OpenEmbedded mailing list, if it hasn’t already been, and I expect they will fix it pretty quickly. They already have several patches for earlier CVEs.

1 Like