| Vulnerability Name: | CVE-2021-3521 (CCN-213411) | ||||||||||||||||||
| Assigned: | 2021-03-19 | ||||||||||||||||||
| Published: | 2021-03-19 | ||||||||||||||||||
| Updated: | 2023-02-12 | ||||||||||||||||||
| Summary: | There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources. | ||||||||||||||||||
| CVSS v3 Severity: | 4.7 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) 4.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
3.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
3.9 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||
| CVSS v2 Severity: | 3.8 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:N/I:C/A:N)
| ||||||||||||||||||
| Vulnerability Type: | CWE-347 | ||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-3521 Source: secalert@redhat.com Type: Third Party Advisory secalert@redhat.com Source: CCN Type: Red Hat Bugzilla - Bug 1941098 CVE-2021-3521 rpm: RPM does not require subkeys to have a valid binding signature Source: secalert@redhat.com Type: Issue Tracking, Patch, Third Party Advisory secalert@redhat.com Source: XF Type: UNKNOWN rpm-cve20213521-sec-bypass(213411) Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com Source: CCN Type: RPM GIT Repository Validate self-signatures and require subkey bindings on PGP public keys #1788 Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Third Party Advisory secalert@redhat.com Source: CCN Type: IBM Security Bulletin 6569153 (MQ Operator CD Release) IBM MQ Operator and Queue manager container images are vulnerable to multiple issues within Red Hat UBI packages and the IBM WebSphere Application Server Liberty shipped with IBM MQ Operator v1.7 CD Release Source: CCN Type: IBM Security Bulletin 6594459 (Netcool Operations Insight) Netcool Operations Insight v1.6.4 contains fixes for multiple security vulnerabilities. Source: CCN Type: IBM Security Bulletin 6614453 (Robotic Process Automation for Cloud Pak) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak Source: CCN Type: IBM Security Bulletin 6838291 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities Source: CCN Type: IBM Security Bulletin 6856409 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities Source: CCN Type: Mend Vulnerability Database CVE-2021-3521 Source: CCN Type: Oracle CPUApr2022 Oracle Critical Patch Update Advisory - April 2022 | ||||||||||||||||||
| Vulnerable Configuration: | Configuration RedHat 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||
| Oval Definitions | |||||||||||||||||||
| |||||||||||||||||||
| BACK | |||||||||||||||||||