Vulnerability Name:

CVE-2021-3421 (CCN-203124)

Assigned:2021-03-11
Published:2021-03-11
Updated:2022-06-03
Summary:A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): Low
4.7 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
4.1 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.2 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:C/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): Partial
Vulnerability Type:CWE-347
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-3421

Source: CCN
Type: Red Hat Bugzilla - Bug 1927747
(CVE-2021-3421) - CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1927747

Source: XF
Type: UNKNOWN
rpm-cve20213421-sec-bypass(203124)

Source: CCN
Type: rpm GIT Repository
Be much more careful about copying data from the signature header

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-8d52a8a999

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-2383d950fd

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-662680e477

Source: GENTOO
Type: Third Party Advisory
GLSA-202107-43

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Source: CCN
Type: IBM Security Bulletin 6541298 (Cloud Pak for Automation)
Multiple security vulnerabilities fixed in Cloud Pak for Automation components

Source: CCN
Type: IBM Security Bulletin 6560126 (Sterling Connect:Direct for UNIX Certified Container)
IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93

Source: CCN
Type: IBM Security Bulletin 6823145 (AIX)
Due to RPM, AIX is vulnerable to arbitrary code execution (CVE-2021-20271), RPM database corruption (CVE-2021-3421), and denial of service (CVE-2021-20266)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:rpm:rpm:*:*:*:*:*:*:*:* (Version < 4.16.1.3)

    • Configuration 2:
  • cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:ibm:aix:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:7.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8063
    P
    		rpm-build-4.14.3-150300.55.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7677
    P
    		libssh2-1-1.9.0-4.13.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7575
    P
    		libarchive-devel-3.5.1-150400.3.12.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7586
    P
    		libcryptopp-devel-8.6.0-150400.1.6 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7795
    P
    		rpm-32bit-4.14.3-150300.55.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7660
    P
    		libruby2_5-2_5-2.5.9-150000.4.26.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:750
    P
    		Security update for frr (Important)
    2022-09-12
    oval:org.opensuse.security:def:6130
    P
    		Security update for u-boot (Important)
    2022-08-04
    oval:org.opensuse.security:def:6131
    P
    		Security update for qpdf (Important)
    2022-08-04
    oval:org.opensuse.security:def:3651
    P
    		Security update for gpg2 (Important)
    2022-07-25
    oval:org.opensuse.security:def:3501
    P
    		glib2-lang-2.48.2-12.15.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3189
    P
    		libipa_hbac0-1.16.1-4.17.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3427
    P
    		apache-commons-beanutils-1.9.2-3.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94919
    P
    		libICE6-32bit-1.0.9-1.25 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94819
    P
    		rpm-32bit-4.14.3-150300.46.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95057
    P
    		rpm-build-4.14.3-150300.46.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94613
    P
    		libXp-devel-1.0.3-1.24 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:353
    P
    		rpm-32bit-4.14.3-150300.46.1 on GA media (Moderate)
    2022-06-10
    oval:org.opensuse.security:def:95408
    P
    		Security update for php8 (Low)
    2022-06-02
    oval:org.opensuse.security:def:4569
    P
    		Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP5) (Important)
    2022-04-13
    oval:org.opensuse.security:def:102121
    P
    		Security update for the Linux Kernel (Important)
    2022-04-12
    oval:org.opensuse.security:def:112810
    P
    		librpmbuild9-4.16.1.3-3.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:101632
    P
    		Security update for systemd (Moderate)
    2022-01-11
    oval:org.opensuse.security:def:4510
    P
    		Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP5) (Important)
    2021-11-17
    oval:org.opensuse.security:def:111088
    P
    		Security update for rpm (Important)
    2021-10-18
    oval:org.opensuse.security:def:102652
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:95939
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:117506
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:108298
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:76529
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:73712
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:5860
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:95969
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:117812
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:108787
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:68749
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:65599
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:76017
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:95983
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:118372
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:109286
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:102620
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:95907
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:107992
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:68664
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:64590
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:74667
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:101326
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:118409
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:109318
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:66949
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:42128
    P
    		Security update for rpm (Important)
    2021-10-15
    oval:org.opensuse.security:def:106279
    P
    		librpmbuild9-4.16.1.3-3.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:111662
    P
    		Security update for rpm (Important)
    2021-08-17
    oval:org.opensuse.security:def:111663
    P
    		Security update for libdnf (Moderate)
    2021-08-13
    oval:org.opensuse.security:def:67220
    P
    		Security update for libdnf (Moderate)
    2021-08-13
    oval:org.opensuse.security:def:76288
    P
    		Security update for libdnf (Moderate)
    2021-08-13
    oval:org.opensuse.security:def:68675
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:93574
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:64740
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:1571
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:74726
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:100315
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:94392
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:67219
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:93100
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:99402
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:93755
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:100644
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:93260
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:76546
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:1118
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:73862
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:99665
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:68766
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:93969
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:65658
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:76287
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:101481
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:93418
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:1548
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:99979
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:94181
    P
    		 (Important)
    2021-08-12
    oval:org.opensuse.security:def:101796
    P
    		Security update for rpm (Important)
    2021-08-12
    oval:com.redhat.rhsa:def:20212574
    P
    		RHSA-2021:2574: rpm security update (Moderate)
    2021-06-29
    BACK
    rpm rpm *
    redhat enterprise linux 8.0
    fedoraproject fedora 32
    fedoraproject fedora 33
    fedoraproject fedora 34
    ibm aix 7.1
    ibm aix 7.2
    ibm cloud pak for automation 21.0.1
    ibm cloud pak for automation 21.0.2 -
    ibm cloud pak for security 1.7.0.0
    ibm cloud pak for security 1.7.1.0
    ibm cloud pak for security 1.7.2.0
    ibm aix 7.3