Vulnerability CVE-2021-28831

Vulnerability Name:

CVE-2021-28831 (CCN-198461)

Assigned:

2021-03-12

Published:

2021-03-12

Updated:

2022-05-20

Summary:

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-755

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-28831

Source: XF
Type: UNKNOWN
busybox-cve202128831-dos(198461)

Source: CCN
Type: BusyBox GIT Repository
decompress_gunzip: Fix DoS if gzip is corrupt

Source: MISC
Type: Mailing List, Patch, Vendor Advisory
https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210401 [SECURITY] [DLA 2614-1] busybox security update

Source: FEDORA
Type: Third Party Advisory
FEDORA-2021-2024803354

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-d20c8a4730

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-e82915eee1

Source: GENTOO
Type: Third Party Advisory
GLSA-202105-09

Source: CCN
Type: IBM Security Bulletin 6601943 (QRadar Network Security)
IBM QRadar Network Security is affected by Vulnerability in busybox (CVE-2021-28831)

Vulnerable Configuration:

Configuration 1:

cpe:/a:busybox:busybox:*:*:*:*:*:*:*:* (Version >= 1.32.0 and <= 1.32.1)

Configuration 2:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:busybox:busybox:1.32.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:qradar_network_security:5.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_network_security:5.5.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7456	P	busybox-1.35.0-150500.8.2 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:800	P	Security update for libjpeg-turbo (Moderate)	2022-10-04
oval:org.opensuse.security:def:3744	P	Security update for java-11-openjdk (Important) (in QA)	2022-07-22
oval:org.opensuse.security:def:3515	P	gstreamer-plugins-good-1.8.3-15.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3701	P	libvpx1-1.3.0-3.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94627	P	libbsd-devel-0.8.7-3.3.17 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:93142	P	(Important)	2022-06-10
oval:org.opensuse.security:def:93295	P	(Important)	2022-05-16
oval:org.opensuse.security:def:99753	P	(Moderate)	2022-03-04
oval:org.opensuse.security:def:119071	P	Security update for busybox (Important)	2022-02-14
oval:org.opensuse.security:def:119564	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:861	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:119189	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:101592	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:118692	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:119379	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:118882	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:100064	P	(Moderate)	2022-01-20
oval:org.opensuse.security:def:112032	P	busybox-1.35.0-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99228	P	(Important)	2022-01-17
oval:org.opensuse.security:def:109599	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:64833	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96220	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10714	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:105918	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9876	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92278	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102900	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9129	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70581	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99626	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:69817	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109566	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:73955	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106316	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10427	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92676	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:103028	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:100136	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:8922	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109687	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96249	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106804	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10718	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9887	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102910	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9139	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70585	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99033	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109576	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96200	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10441	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:105723	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9677	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92083	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99427	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:69618	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96259	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106117	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92477	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102929	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:111864	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70854	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99825	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:8727	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70016	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109595	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96210	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106515	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10445	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92875	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102890	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9117	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70567	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96340	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109556	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:93425	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102933	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9478	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70858	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70027	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99160	P	(Important)	2021-11-11
oval:org.opensuse.security:def:111105	P	Security update for busybox (Important)	2021-10-31
oval:org.opensuse.security:def:106730	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92989	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:98965	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:105655	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9605	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92015	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:70307	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:99355	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69553	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:117520	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106045	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92405	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:111767	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:8666	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69944	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:64604	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106443	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92803	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:101340	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9049	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:70495	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:108006	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:73726	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:10167	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9413	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:64790	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:105850	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9804	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92210	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:99554	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69745	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:73912	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106244	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:10355	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92604	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:8854	P	Security update for busybox (Important)	2021-10-27

BACK