CVE-2021-20277
First published: Mon Mar 22 2021(Updated: )
A flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an out-of-bounds memory write, leading to a crash of the LDAP server process handling the request. The highest threat from this vulnerability is to system availability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Samba Samba | >=4.0.0<4.12.13 | |
| Samba Samba | >=4.13.0<4.13.6 | |
| Samba Samba | >=4.14.0<4.14.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| debian/ldb | <=2:2.2.0-3<=2:1.5.1+really1.4.6-3 | 2:2.2.0-3.1 2:1.5.1+really1.4.6-3+deb10u1 |
| debian/ldb | 2:1.5.1+really1.4.6-3+deb10u1 2:2.2.3-2~deb11u2 | |
| debian/samba | <=2:4.9.5+dfsg-5+deb10u3<=2:4.9.5+dfsg-5+deb10u4<=2:4.13.13+dfsg-1~deb11u5 | 2:4.17.12+dfsg-0+deb12u1 2:4.19.3+dfsg-2 |
| redhat/samba | <4.14.1 | 4.14.1 |
| redhat/samba | <4.13.6 | 4.13.6 |
| redhat/samba | <4.12.13 | 4.12.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1941402
- https://lists.debian.org/debian-lts-announce/2021/03/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLZ74IF2N75VQSIHBL4B3P5WKWQCXSRY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5J3B6PN5XMXF3OHYBNHDKZ3XFSUGY4L/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXP3ONIY6MB4C5LDZV4YL5KJCES3UX24/
- https://security.gentoo.org/glsa/202105-22
- https://security.netapp.com/advisory/ntap-20210326-0007/
- https://www.debian.org/security/2021/dsa-4884
- https://www.samba.org/samba/security/CVE-2021-20277.html
- https://bugzilla.samba.org/show_bug.cgi?id=14655
- https://security-tracker.debian.org/tracker/CVE-2021-20277
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20277
- https://security-tracker.debian.org/tracker/CVE-2020-27840
- https://security-tracker.debian.org/tracker/CVE-2020-10730
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985935
- https://git.samba.org/?p=samba.git;a=commitdiff;h=ea4bd2c437fbb5801fb82e2a038d9cdb5abea4c0
- https://git.samba.org/?p=samba.git;a=commitdiff;h=1fe8c790b2294fd10fe9c9c6254ecf2b6c00b709
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5J3B6PN5XMXF3OHYBNHDKZ3XFSUGY4L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXP3ONIY6MB4C5LDZV4YL5KJCES3UX24/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VLZ74IF2N75VQSIHBL4B3P5WKWQCXSRY/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1942497
- https://github.com/samba-team/samba/commit/fab6b79b7724f0b636963be528483e3e946884aa
- https://access.redhat.com/errata/RHSA-2021:1072
- https://access.redhat.com/security/cve/cve-2021-20277
- https://access.redhat.com/errata/RHSA-2021:1197
- https://access.redhat.com/errata/RHSA-2021:1214
- https://access.redhat.com/errata/RHSA-2021:1213
- https://access.redhat.com/errata/RHSA-2021:2331
- https://access.redhat.com/errata/RHSA-2021:2786
Frequently Asked Questions
What is CVE-2021-20277?
CVE-2021-20277 is a vulnerability found in Samba's libldb that allows multiple consecutive leading spaces in an LDAP attribute, leading to an out-of-bounds memory write and a crash of the LDAP server process.
What is the severity of CVE-2021-20277?
The severity of CVE-2021-20277 is high with a CVSS score of 7.5.
What software is affected by CVE-2021-20277?
Samba versions between 4.0.0 and 4.12.13, 4.13.0 and 4.13.6, and 4.14.0 and 4.14.1 are affected. Debian Linux versions 9.0 and 10.0, Fedora versions 32, 33, and 34 are also affected.
What is the highest threat from CVE-2021-20277?
The highest threat from CVE-2021-20277 is to system availability.
How do I fix the CVE-2021-20277 vulnerability?
To fix the CVE-2021-20277 vulnerability, update Samba to versions 4.13.7, 4.14.2, or 4.15.0. Or, apply the respective security updates for Debian Linux and Fedora.
- collector/nvd-index
- collector/debian-bugs
- alias/CVE-2021-20277
- collector/security-tracker-debian
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/author
- agent/severity
- agent/description
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- vendor/samba
- canonical/samba samba
- version/samba samba/4.0.0
- version/samba samba/4.13.0
- version/samba samba/4.14.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- package-manager/debian
- package-manager/redhat