Vulnerability Name:

CVE-2021-35942 (CCN-206317)

Assigned:2021-06-30
Published:2021-06-30
Updated:2022-11-08
Summary:The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.
CVSS v3 Severity:9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
7.7 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
6.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
9.1 Critical (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
7.9 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): Partial
6.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-190
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-35942

Source: XF
Type: UNKNOWN
gncglibc-cve202135942-info-disc(206317)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20221017 [SECURITY] [DLA 3152-1] glibc security update

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-24

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0005/

Source: CCN
Type: Sourceware Bugzilla - Bug 28011
(CVE-2021-35942) - Wild read in wordexp (parse_param) (CVE-2021-35942)

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=28011

Source: CCN
Type: glibc GIT Repository
wordexp: handle overflow in positional parameter number (bug 28011)

Source: CONFIRM
Type: Mailing List, Patch, Third Party Advisory
https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c

Source: MISC
Type: Vendor Advisory
https://sourceware.org/glibc/wiki/Security%20Exceptions

Source: CCN
Type: IBM Security Bulletin 6524340 (Speech to Text)
glibc Vulnerability affects Watson Speech Services

Source: CCN
Type: IBM Security Bulletin 6526504 (App Connect Professional)
App Connect Professional is affected by GNU C Library vulnerability

Source: CCN
Type: IBM Security Bulletin 6526522 (App Connect Professional)
App Connect Professional is affected by GNU C Library vulnerability.

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6560126 (Sterling Connect:Direct for UNIX Certified Container)
IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93

Source: CCN
Type: IBM Security Bulletin 6591509 (Flex System EN2092 1Gb Ethernet Scalable Switch)
IBM Flex System switch firmware products are affected by a vulnerability in glibc (CVE-2021-35942)

Source: CCN
Type: IBM Security Bulletin 6591511 (G7028)
IBM RackSwitch firmware products are affected by a vulnerability in glibc (CVE-2021-35942)

Source: CCN
Type: IBM Security Bulletin 6612587 (Cloud Pak System Software)
Multiple vulnerabilities in expat, glibc, http server, dojo, openssl shipped with IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6829159 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to information disclosure or denial of service in GNU glibc (CVE-2021-35942).

Source: CCN
Type: IBM Security Bulletin 6856409 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6982841 (Netcool Operations Insight)
Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities.

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-35942

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnu:glibc:*:*:*:*:*:*:*:* (Version < 2.32)

  • Configuration 2:
  • cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
  • OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.70.1)

  • Configuration 3:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

  • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:gnu:glibc:2.33:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.6.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8010
    P
    glibc-devel-32bit-2.31-150300.46.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7510
    P
    glibc-2.31-150300.46.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:783
    P
    Security update for the Linux Kernel (Important)
    2022-09-26
    oval:org.opensuse.security:def:3684
    P
    Security update for MozillaFirefox (Important)
    2022-08-01
    oval:org.opensuse.security:def:95407
    P
    Security update for salt (Important)
    2022-07-06
    oval:org.opensuse.security:def:3500
    P
    git-core-2.12.3-27.17.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3385
    P
    tpm2.0-tools-3.1.4-1.12 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:2935
    P
    glibc-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94565
    P
    glibc-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94612
    P
    libXinerama-devel-1.1.3-1.22 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95015
    P
    glibc-devel-32bit-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94918
    P
    imlib2-loaders-1.4.10-1.28 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:4577
    P
    Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP5) (Important)
    2022-04-15
    oval:org.opensuse.security:def:100058
    P
    (Important)
    2022-03-30
    oval:org.opensuse.security:def:102120
    P
    Security update for protobuf (Moderate)
    2022-03-30
    oval:org.opensuse.security:def:101631
    P
    Security update for wireshark (Moderate)
    2022-02-14
    oval:org.opensuse.security:def:6188
    P
    Security update for the Linux Kernel (Important)
    2022-01-14
    oval:org.opensuse.security:def:99747
    P
    (Moderate)
    2022-01-11
    oval:org.opensuse.security:def:64773
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:101804
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:67277
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:73895
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:76345
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:111732
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:65666
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:1126
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:74734
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:42223
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:101514
    P
    Security update for glibc (Moderate)
    2021-12-08
    oval:org.opensuse.security:def:4509
    P
    Security update for the Linux Kernel (Live Patch 12 for SLE 12 SP5) (Important)
    2021-11-17
    oval:com.redhat.rhsa:def:20214358
    P
    RHSA-2021:4358: glibc security, bug fix, and enhancement update (Moderate)
    2021-11-09
    oval:org.opensuse.security:def:99154
    P
    (Important)
    2021-10-26
    oval:org.opensuse.security:def:111093
    P
    Security update for glibc (Moderate)
    2021-10-18
    oval:org.opensuse.security:def:117505
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:106437
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:73711
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:92797
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:8848
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:69938
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:108786
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:76016
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:105844
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:9798
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:92204
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:5859
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:99349
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:117811
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:106724
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:9043
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:70302
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:65598
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:101325
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:106039
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:10162
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:92399
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:69548
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:99548
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:107991
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:74666
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:42127
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:9408
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:70489
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:98959
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:106238
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:10349
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:92598
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:8661
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:69739
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:64589
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:108297
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:105649
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:9599
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:92009
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:66948
    P
    Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:31689
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:58020
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:84218
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:93762
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:99997
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:30133
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:56076
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:86661
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:82637
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:93105
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:99146
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:32197
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:58840
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:23683
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:51671
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:84677
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:93976
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:100333
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:30253
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:57104
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:87481
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:83340
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:93265
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:99418
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:33017
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:55253
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:85745
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:94188
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:100662
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:31281
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:57512
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:83460
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:93579
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:99681
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:29430
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:55956
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:86153
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:94399
    P
    (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:41334
    P
    Security update for glibc (Moderate)
    2021-10-04
    oval:org.opensuse.security:def:45764
    P
    Security update for glibc (Moderate)
    2021-10-04
    oval:org.opensuse.security:def:38146
    P
    Security update for glibc (Moderate)
    2021-10-04
    oval:org.opensuse.security:def:40223
    P
    Security update for glibc (Moderate)
    2021-10-04
    oval:org.opensuse.security:def:44653
    P
    Security update for glibc (Moderate)
    2021-10-04
    oval:org.opensuse.security:def:60316
    P
    Security update for glibc (Moderate)
    2021-07-27
    oval:org.opensuse.security:def:26095
    P
    Security update for glibc (Moderate)
    2021-07-27
    oval:org.opensuse.security:def:5082
    P
    Security update for glibc (Moderate)
    2021-07-27
    oval:org.opensuse.security:def:34493
    P
    Security update for glibc (Moderate)
    2021-07-27
    BACK
    gnu glibc *
    netapp ontap select deploy administration utility -
    netapp solidfire -
    netapp hci management node -
    netapp active iq unified manager -
    netapp e-series santricity os controller *
    debian debian linux 10.0
    gnu glibc 2.33
    ibm cloud pak for security 1.7.2.0
    ibm cloud pak for security 1.10.0.0
    ibm cloud pak for security 1.10.6.0