Vulnerability Name:

CVE-2021-27645 (CCN-197417)

Assigned:2021-02-24
Published:2021-02-24
Updated:2022-11-04
Summary:The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVSS v3 Severity:2.5 Low (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)
2.2 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
3.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
2.5 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)
2.2 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-415
CWE-416
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-27645

Source: XF
Type: UNKNOWN
gnu-glibc-cve202127645-dos(197417)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20221017 [SECURITY] [DLA 3152-1] glibc security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-2ba993d6c5

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-6749bfcfd9

Source: GENTOO
Type: Third Party Advisory
GLSA-202107-07

Source: CCN
Type: Sourceware Bugzilla – Bug 27462
(CVE-2021-27645) - double-free in nscd (CVE-2021-27645)

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=27462

Source: CCN
Type: IBM Security Bulletin 6524336 (Speech to Text)
Redhat glibc Vulnerability affects Watson Speech Services

Source: CCN
Type: IBM Security Bulletin 6526526 (App Connect Professional)
App Connect Professional is affected by GNU C Library vulnerability

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6560036 (Elastic Storage System)
glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27645)

Source: CCN
Type: IBM Security Bulletin 6856409 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-27645

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnu:glibc:*:*:*:*:*:*:*:* (Version >= 2.29 and <= 2.33)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:gnu:glibc:2.29:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.33:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:elastic_storage_system:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.6.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8010
    P
    		glibc-devel-32bit-2.31-150300.46.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7510
    P
    		glibc-2.31-150300.46.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3385
    P
    		tpm2.0-tools-3.1.4-1.12 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94565
    P
    		glibc-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95015
    P
    		glibc-devel-32bit-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2935
    P
    		glibc-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:68
    P
    		glibc-2.31-7.30 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:112305
    P
    		glibc-2.34-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:997
    P
    		Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container (Important)
    2022-01-10
    oval:com.redhat.rhsa:def:20214358
    P
    		RHSA-2021:4358: glibc security, bug fix, and enhancement update (Moderate)
    2021-11-09
    oval:org.opensuse.security:def:105828
    P
    		glibc-2.34-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:62086
    P
    		glibc-2.31-7.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1919
    P
    		glibc-devel-32bit-2.31-7.20 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63008
    P
    		glibc-devel-32bit-2.31-7.20 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:71827
    P
    		glibc-2.31-7.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100844
    P
    		glibc-2.31-7.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72727
    P
    		glibc-devel-32bit-2.31-7.20 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101266
    P
    		glibc-devel-32bit-2.31-7.20 on GA media (Moderate)
    2021-08-09
    BACK
    gnu glibc *
    fedoraproject fedora 33
    fedoraproject fedora 34
    debian debian linux 10.0
    gnu glibc 2.29
    gnu glibc 2.33
    ibm elastic storage system 6.0.0
    ibm cloud pak for security 1.7.2.0
    ibm cloud pak for security 1.10.0.0
    ibm cloud pak for security 1.10.6.0