CVE-2021-3703

Vulnerability

Red Hat Serverless 1.16.0 and Serverless client kn 1.16.0 were incorrectly documented as containing fixes for CVE-2021-27918, CVE-2021-31525, and CVE-2021-33196 [1]. The actual fixes were not applied until Serverless 1.17.0 [2]. The root cause was that the Knative CLI build used an older version of Go that did not include the necessary patches; knative-serving and knative-eventing were not affected [2].

Exploitation

An attacker can exploit the underlying vulnerabilities (CVE-2021-27918, CVE-2021-31525, CVE-2021-33196) against systems running Serverless 1.16.0 or kn client 1.16.0, as the advertised fixes were not actually present [1][2]. The specific exploitation requirements depend on each individual CVE, but the incomplete fix means that any protections assumed from the 1.16.0 release are absent.

Impact

Systems running Serverless 1.16.0 remain vulnerable to the original CVEs, which could lead to denial of service, information disclosure, or other impacts depending on the specific vulnerability [1]. Users who relied on the advisory may have an incorrect sense of security.

Mitigation

Upgrade to Red Hat Serverless 1.17.0 or later, which contains the correct fixes for all three CVEs [1][2]. No workaround is available. Note that knative-serving and knative-eventing components are not affected by this incomplete fix [2].