CVE-2021-3520: Integer Overflow
First published: Wed Apr 28 2021(Updated: )
lz4 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow. By sending a specially crafted file, an attacker could invoke memmove() on a negative size argument leading to memory corruption and trigger an out-of-bounds write or cause the library to crash.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/lz4 | <0:1.8.3-3.el8_4 | 0:1.8.3-3.el8_4 |
| Lz4 Project Lz4 | =1.8.3 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| NetApp ONTAP Select Deploy administration utility | ||
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| redhat/lz4 | <1.9.4 | 1.9.4 |
| Lz4 Project Lz4 | >=1.8.3<1.9.4 | |
| Netapp Cloud Backup | ||
| Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
| Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
| Splunk Universal Forwarder | =9.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-3520 https://nvd.nist.gov/vuln/detail/CVE-2021-3520
- https://bugzilla.redhat.com/show_bug.cgi?id=1954559
- https://access.redhat.com/errata/RHSA-2021:2575
- https://access.redhat.com/errata/RHSA-2022:6407
- https://access.redhat.com/errata/RHSA-2022:5606
- https://access.redhat.com/errata/RHSA-2022:1345
- https://access.redhat.com/errata/RHBA-2021:2854
- https://access.redhat.com/security/cve/cve-2021-3520
- https://security.netapp.com/advisory/ntap-20211104-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/lz4/lz4/pull/972
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1954560
- https://github.com/lz4/lz4/pull/972/commits/8301a21773ef61656225e264f4f06ae14462bca7
- https://access.redhat.com/support/policy/updates/errata
- https://github.com/lz4/lz4/blob/dev/lib/lz4.h#L212
- https://access.redhat.com/errata/RHSA-2021:2575/
- https://geometrydashbloodbath.com
- https://www.aairtickets.com/es/articulos/frontier-airlines-puerto-rico-telefono/
- https://access.redhat.com/errata/RHSA-2024:3527
- https://exchange.xforce.ibmcloud.com/vulnerabilities/202592
- https://www.ibm.com/support/pages/node/6493729
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-3520?
CVE-2021-3520 is a vulnerability in lz4 that allows a remote attacker to execute arbitrary code on the system.
How does CVE-2021-3520 affect the availability of the system?
CVE-2021-3520 can lead to an out-of-bounds write and/or a crash, impacting the availability of the system.
Which software is affected by CVE-2021-3520?
The affected software includes lz4 versions up to 1.9.4 and IBM Security Verify Access up to version 10.0.0.
Is there a fix for CVE-2021-3520?
Yes, updating lz4 to version 1.9.4 or higher resolves CVE-2021-3520.
Where can I find more information about CVE-2021-3520?
More information about CVE-2021-3520 can be found in the references: [link1], [link2], [link3].
- collector/redhat-cve
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/severity
- agent/description
- agent/author
- agent/weakness
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3520
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/references
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/lz4 project
- canonical/lz4 project lz4
- version/lz4 project lz4/1.8.3
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp ontap select deploy administration utility
- vendor/oracle
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- canonical/netapp cloud backup
- vendor/splunk
- canonical/splunk universal forwarder
- version/splunk universal forwarder/8.2.0
- version/splunk universal forwarder/9.0.0
- version/splunk universal forwarder/9.1.0
- vendor/ibm
- canonical/ibm security verify access
- version/ibm security verify access/10.0.0