Vulnerability CVE-2021-4048

Vulnerability Name:

CVE-2021-4048 (CCN-215061)

Assigned:

2021-09-30

Published:

2021-09-30

Updated:

2022-01-04

Summary:

An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.

CVSS v3 Severity:

9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): High

9.1 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
7.9 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): High

5.9 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): Partial

9.4 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-125

Vulnerability Consequences:

Denial of Service

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:lapack_project:lapack:*:*:*:*:*:*:*:* (Version <= 3.10.0)

Configuration 2:

cpe:/a:openblas_project:openblas:*:*:*:*:*:*:*:* (Version < 0.3.18)

Configuration 3:

cpe:/a:julialang:julia:*:*:*:*:*:*:*:* (Version <= 1.6.3)

OR cpe:/a:julialang:julia:1.7.0:beta1:*:*:*:*:*:*

OR cpe:/a:julialang:julia:1.7.0:beta2:*:*:*:*:*:*

OR cpe:/a:julialang:julia:1.7.0:beta3:*:*:*:*:*:*

OR cpe:/a:julialang:julia:1.7.0:beta4:*:*:*:*:*:*

OR cpe:/a:julialang:julia:1.7.0:rc1:*:*:*:*:*:*

Configuration 4:

cpe:/a:redhat:ceph_storage:2.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:ceph_storage:5.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:openshift_container_storage:4.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:openshift_data_foundation:4.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 5:

cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7998	P	cblas-devel-3.9.0-150000.4.13.2 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:7452	P	blas-devel-3.9.0-150000.4.13.2 on GA media (Moderate)	2023-06-12
oval:com.redhat.rhsa:def:20227639	P	RHSA-2022:7639: openblas security update (Moderate)	2022-11-08
oval:org.opensuse.security:def:3402	P	xf86-video-intel-2.99.917+git781.c8990575-1.27 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94509	P	blas-devel-3.5.0-4.6.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95032	P	liblapacke3-3.5.0-4.6.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2879	P	blas-devel-3.5.0-4.6.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:119155	P	Security update for lapack (Moderate)	2022-03-21
oval:org.opensuse.security:def:1198	P	Security update for lapack (Moderate)	2022-03-21
oval:org.opensuse.security:def:101669	P	Security update for lapack (Moderate)	2022-03-21
oval:org.opensuse.security:def:5375	P	Security update for lapack (Moderate)	2022-03-21
oval:org.opensuse.security:def:101860	P	Security update for lapack (Moderate)	2022-03-21
oval:org.opensuse.security:def:6204	P	Security update for lapack (Moderate)	2022-03-21
oval:org.opensuse.security:def:977	P	Security update for lapack (Moderate)	2022-03-21
oval:org.opensuse.security:def:112012	P	blas-devel-3.9.0-4.1 on GA media (Moderate)	2022-01-17

BACK