CVE-2021-20291
First published: Tue Mar 16 2021(Updated: )
A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/podman | <2:4.2.0-3.el9 | 2:4.2.0-3.el9 |
| redhat/skopeo | <2:1.9.2-1.el9 | 2:1.9.2-1.el9 |
| redhat/buildah | <1:1.27.0-2.el9 | 1:1.27.0-2.el9 |
| redhat/cri-o | <0:1.20.2-6.rhaos4.7.gitf1d5201.el8 | 0:1.20.2-6.rhaos4.7.gitf1d5201.el8 |
| redhat/openshift | <0:4.7.0-202104090228.p0.git.97111.77863f8.el8 | 0:4.7.0-202104090228.p0.git.97111.77863f8.el8 |
| redhat/containers/storage | <1.28.1 | 1.28.1 |
| storage project storage | <1.28.1 | |
| redhat openshift container platform | =4.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Fedora | =33 | |
| Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-20291 https://nvd.nist.gov/vuln/detail/CVE-2021-20291 https://unit42.paloaltonetworks.com/cve-2021-20291/
- https://bugzilla.redhat.com/show_bug.cgi?id=1939485
- https://access.redhat.com/errata/RHBA-2022:0348
- https://access.redhat.com/errata/RHSA-2021:4154
- https://access.redhat.com/errata/RHSA-2022:7954
- https://access.redhat.com/errata/RHSA-2022:7955
- https://access.redhat.com/errata/RHSA-2022:8008
- https://access.redhat.com/errata/RHSA-2021:1150
- https://access.redhat.com/errata/RHSA-2021:2438
- https://access.redhat.com/security/cve/cve-2021-20291
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WX24EITRXVHDM5M223BVTJA2ODF2FSHI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM/
- https://unit42.paloaltonetworks.com/cve-2021-20291/
- https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1945639
- https://github.com/containers/storage/blob/master/layers.go#L1416
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1947288
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1947289
- https://github.com/containers/storage/blob/e9989a949a0d2c32fa82d3ff1076e33cfec58cb9/layers.go#L1332
- https://github.com/konveyor/openshift-migration-plugin/blob/cbc29cae77bd1046165166d9f5c2c55488d24e2f/Gopkg.lock#L209
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WX24EITRXVHDM5M223BVTJA2ODF2FSHI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-20291?
CVE-2021-20291 has been classified with a moderate severity level due to the potential for deadlock and system hang upon processing erroneous container images.
How do I fix CVE-2021-20291?
To fix CVE-2021-20291, upgrade to the designated patched versions of affected packages, such as containers/storage version 1.28.1 or higher.
Which software is affected by CVE-2021-20291?
CVE-2021-20291 affects various software packages including Podman, Skopeo, Buildah, and CRI-O, particularly those versions before the recommended updates.
What causes the CVE-2021-20291 vulnerability?
The CVE-2021-20291 vulnerability is caused by a deadlock issue arising when a non-valid tar archive is processed while unpacking container image layers.
Is CVE-2021-20291 exploitable remotely?
CVE-2021-20291 is not directly exploitable remotely as it requires processing of container images under specific erroneous conditions.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20291
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/storage project
- canonical/storage project storage
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/33
- version/fedora/34