CVE-2021-20322
First published: Thu Aug 26 2021(Updated: )
A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:4.18.0-372.9.1.rt7.166.el8 | 0:4.18.0-372.9.1.rt7.166.el8 |
| redhat/kernel | <0:4.18.0-372.9.1.el8 | 0:4.18.0-372.9.1.el8 |
| redhat/kernel-rt | <0:4.18.0-305.49.1.rt7.121.el8_4 | 0:4.18.0-305.49.1.rt7.121.el8_4 |
| redhat/kernel | <0:4.18.0-305.49.1.el8_4 | 0:4.18.0-305.49.1.el8_4 |
| redhat/kernel | <5.15 | 5.15 |
| Linux Linux kernel | <=5.14.21 | |
| Fedoraproject Fedora | =34 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.1 | |
| Netapp Solidfire\, Enterprise Sds \& Hci Storage Node | ||
| Netapp Solidfire \& Hci Management Node | ||
| Netapp Fas Baseboard Management Controller Firmware | ||
| Netapp Fas Baseboard Management Controller | =8300 | |
| Netapp Fas Baseboard Management Controller | =8700 | |
| Netapp Aff Baseboard Management Controller Firmware | ||
| Netapp Aff Baseboard Management Controller | =a400 | |
| Netapp Aff A700s Firmware | ||
| NetApp AFF A700s | ||
| Netapp Baseboard Management Controller H700s Firmware | ||
| Netapp Baseboard Management Controller H700s | ||
| Netapp Baseboard Management Controller H700e Firmware | ||
| Netapp Baseboard Management Controller H700e | ||
| Netapp Baseboard Management Controller H500s Firmware | ||
| Netapp Baseboard Management Controller H500s | ||
| Netapp Baseboard Management Controller H410s Firmware | ||
| Netapp Baseboard Management Controller H410s | ||
| Netapp Baseboard Management Controller H500e Firmware | ||
| Netapp Baseboard Management Controller H500e | ||
| Netapp Baseboard Management Controller H300e Firmware | ||
| Netapp Baseboard Management Controller H300e | ||
| Netapp Baseboard Management Controller H300s Firmware | ||
| Netapp Baseboard Management Controller H300s | ||
| Netapp Hci Compute Node Firmware | ||
| Netapp Hci Compute Node | ||
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| Oracle Communications Cloud Native Core Network Exposure Function | =22.1.1 | |
| Oracle Communications Cloud Native Core Policy | =22.2.0 | |
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| Netapp H700e Firmware | ||
| Netapp H700e | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| Netapp H410s Firmware | ||
| Netapp H410s | ||
| Netapp H500e Firmware | ||
| Netapp H500e | ||
| Netapp H300e Firmware | ||
| Netapp H300e | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| All of | ||
| Netapp Fas Baseboard Management Controller Firmware | ||
| Netapp Fas Baseboard Management Controller | =8300 | |
| All of | ||
| Netapp Fas Baseboard Management Controller Firmware | ||
| Netapp Fas Baseboard Management Controller | =8700 | |
| All of | ||
| Netapp Aff Baseboard Management Controller Firmware | ||
| Netapp Aff Baseboard Management Controller | =a400 | |
| All of | ||
| Netapp Aff A700s Firmware | ||
| NetApp AFF A700s | ||
| All of | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| All of | ||
| Netapp H700e Firmware | ||
| Netapp H700e | ||
| All of | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| All of | ||
| Netapp H410s Firmware | ||
| Netapp H410s | ||
| All of | ||
| Netapp H500e Firmware | ||
| Netapp H500e | ||
| All of | ||
| Netapp H300e Firmware | ||
| Netapp H300e | ||
| All of | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| All of | ||
| Netapp Hci Compute Node Firmware | ||
| Netapp Hci Compute Node | ||
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.112-1 6.11.5-1 6.11.7-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-20322 https://nvd.nist.gov/vuln/detail/CVE-2021-20322 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=4785305c05b25a242e5314cc821f54ade4c18810 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=6457378fe796815c973f631a1904e147d6ee33b1 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv4/route.c?h=v5.15-rc6&id=67d6d681e15b578c1725bad8ad079e05d1c48a8e https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv6/route.c?h=v5.15-rc6&id=a00df2caffed3883c341d5685f830434312e4a43
- https://bugzilla.redhat.com/show_bug.cgi?id=2014230
- https://access.redhat.com/errata/RHSA-2022:1975
- https://access.redhat.com/errata/RHSA-2022:1988
- https://access.redhat.com/errata/RHSA-2022:4835
- https://access.redhat.com/errata/RHSA-2022:4829
- https://access.redhat.com/security/cve/cve-2021-20322
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=4785305c05b25a242e5314cc821f54ade4c18810
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=6457378fe796815c973f631a1904e147d6ee33b1
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv4/route.c?h=v5.15-rc6&id=67d6d681e15b578c1725bad8ad079e05d1c48a8e
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv6/route.c?h=v5.15-rc6&id=a00df2caffed3883c341d5685f830434312e4a43
- https://security.netapp.com/advisory/ntap-20220303-0002/
- https://www.debian.org/security/2022/dsa-5096
- https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://launchpad.net/bugs/cve/CVE-2021-20322
- https://access.redhat.com/security/cve/CVE-2020-25705
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2015075
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=4785305c05b25a242e5314cc821f54ade4c18810
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=6457378fe796815c973f631a1904e147d6ee33b1
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv4/route.c?h=v5.15-rc6&id=67d6d681e15b578c1725bad8ad079e05d1c48a8e
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv6/route.c?h=v5.15-rc6&id=a00df2caffed3883c341d5685f830434312e4a43
- https://security-tracker.debian.org/tracker/CVE-2021-20322
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20322
- https://nvd.nist.gov/vuln/detail/CVE-2021-20322
- https://ubuntu.com/security/CVE-2021-20322
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20322
- agent/software-canonical-lookup
- agent/references
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-cve
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/5.14.21
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.70.1
- canonical/netapp solidfire\, enterprise sds \& hci storage node
- canonical/netapp solidfire \& hci management node
- canonical/netapp fas baseboard management controller firmware
- canonical/netapp fas baseboard management controller
- version/netapp fas baseboard management controller/8300
- version/netapp fas baseboard management controller/8700
- canonical/netapp aff baseboard management controller firmware
- canonical/netapp aff baseboard management controller
- version/netapp aff baseboard management controller/a400
- canonical/netapp aff a700s firmware
- canonical/netapp aff a700s
- canonical/netapp baseboard management controller h700s firmware
- canonical/netapp baseboard management controller h700s
- canonical/netapp baseboard management controller h700e firmware
- canonical/netapp baseboard management controller h700e
- canonical/netapp baseboard management controller h500s firmware
- canonical/netapp baseboard management controller h500s
- canonical/netapp baseboard management controller h410s firmware
- canonical/netapp baseboard management controller h410s
- canonical/netapp baseboard management controller h500e firmware
- canonical/netapp baseboard management controller h500e
- canonical/netapp baseboard management controller h300e firmware
- canonical/netapp baseboard management controller h300e
- canonical/netapp baseboard management controller h300s firmware
- canonical/netapp baseboard management controller h300s
- canonical/netapp hci compute node firmware
- canonical/netapp hci compute node
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- canonical/oracle communications cloud native core network exposure function
- version/oracle communications cloud native core network exposure function/22.1.1
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/22.2.0
- canonical/netapp h700s firmware
- canonical/netapp h700s
- canonical/netapp h700e firmware
- canonical/netapp h700e
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h410s firmware
- canonical/netapp h410s
- canonical/netapp h500e firmware
- canonical/netapp h500e
- canonical/netapp h300e firmware
- canonical/netapp h300e
- canonical/netapp h300s firmware
- canonical/netapp h300s
- package-manager/debian