CVE-2021-3979
First published: Fri Nov 19 2021(Updated: )
A key length flaw was found in Red Hat Ceph Storage. An attacker can exploit the fact that the key length is incorrectly passed in an encryption algorithm to create a non random key, which is weaker and can be exploited for loss of confidentiality and integrity on encrypted disks.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ceph | <2:14.2.22-110.el7c | 2:14.2.22-110.el7c |
| redhat/ceph | <2:16.2.7-98.el8c | 2:16.2.7-98.el8c |
| ubuntu/ceph | <12.2.13-0ubuntu0.18.04.11 | 12.2.13-0ubuntu0.18.04.11 |
| ubuntu/ceph | <15.2.17-0ubuntu0.20.04.3 | 15.2.17-0ubuntu0.20.04.3 |
| ubuntu/ceph | <16.2.9+ | 16.2.9+ |
| Redhat Ceph Storage | =3.0 | |
| Redhat Ceph Storage | =4.3 | |
| Redhat Ceph Storage | =5.1 | |
| Redhat Openshift Container Storage | =4.0 | |
| Redhat Openshift Data Foundation | =4.0 | |
| Redhat Openstack Platform | =13.0 | |
| Redhat Ceph Storage For Ibm Z Systems | =4.0 | |
| Redhat Ceph Storage | =4.0 | |
| Redhat Ceph Storage | =5.0 | |
| Redhat Ceph Storage For Power | =4.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =37 | |
| All of | ||
| Any of | ||
| Redhat Ceph Storage | =4.0 | |
| Redhat Ceph Storage | =5.0 | |
| Redhat Ceph Storage For Power | =4.0 | |
| Redhat Enterprise Linux | =8.0 | |
| All of | ||
| Any of | ||
| Redhat Ceph Storage | =4.0 | |
| Redhat Ceph Storage | =5.0 | |
| Redhat Ceph Storage For Power | =4.0 | |
| Redhat Enterprise Linux | =7.0 | |
| debian/ceph | <=12.2.11+dfsg1-2.1<=14.2.21-1 | 12.2.11+dfsg1-2.1+deb10u1 16.2.11+ds-2 16.2.11+ds-5 18.2.1+ds-9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-3979 https://nvd.nist.gov/vuln/detail/CVE-2021-3979
- https://bugzilla.redhat.com/show_bug.cgi?id=2024788
- https://access.redhat.com/errata/RHSA-2022:1716
- https://access.redhat.com/errata/RHSA-2022:1174
- https://access.redhat.com/security/cve/cve-2021-3979
- https://access.redhat.com/security/cve/CVE-2021-3979
- https://tracker.ceph.com/issues/54006
- https://github.com/ceph/ceph/pull/44765
- https://github.com/ceph/ceph/commit/47c33179f9a15ae95cc1579a421be89378602656
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPOK44BESMIFW6BIOGCN452AKKOIIT6Q/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
- https://launchpad.net/bugs/cve/CVE-2021-3979
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2018529
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2027837
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2039522
- https://www.openwall.com/lists/oss-security/2022/01/11/5
- https://github.com/ceph/ceph/commit/f69339e00f582ec64b843ff58b66817975fca0d7
- https://security-tracker.debian.org/tracker/CVE-2021-3979
- https://www.openwall.com/lists/oss-security/2022/01/12/5
- https://ubuntu.com/security/notices/USN-6063-1
- https://www.cve.org/CVERecord?id=CVE-2021-3979
- https://nvd.nist.gov/vuln/detail/CVE-2021-3979
- https://www.openwall.com/lists/oss-security/2022/01/12/5/1
- https://ubuntu.com/security/CVE-2021-3979
Frequently Asked Questions
What is CVE-2021-3979?
CVE-2021-3979 is a key length flaw found in Red Hat Ceph Storage that can be exploited to create a non-random key, resulting in loss of confidentiality and integrity on encrypted disks.
How severe is CVE-2021-3979?
CVE-2021-3979 has a severity score of 6.5, which is considered medium.
Which software versions are affected by CVE-2021-3979?
The affected software versions include Red Hat Ceph Storage 12.2.13-0ubuntu0.18.04.11, 15.2.17-0ubuntu0.20.04.3, 16.2.9+, and 2:14.2.22-110.el7c and 2:16.2.7-98.el8c.
How can I fix CVE-2021-3979?
To fix CVE-2021-3979, update Red Hat Ceph Storage to version 16.2.11+ds-2 or higher.
Where can I find more information about CVE-2021-3979?
You can find more information about CVE-2021-3979 on the Red Hat Bugzilla website: https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2018529
- collector/redhat-cve
- collector/mitre-cve
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3979
- agent/weakness
- agent/severity
- agent/author
- agent/event
- agent/description
- agent/remedy
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/ubuntu
- package-manager/debian
- vendor/redhat
- canonical/redhat ceph storage
- version/redhat ceph storage/3.0
- version/redhat ceph storage/4.3
- version/redhat ceph storage/5.1
- canonical/redhat openshift container storage
- version/redhat openshift container storage/4.0
- canonical/redhat openshift data foundation
- version/redhat openshift data foundation/4.0
- canonical/redhat openstack platform
- version/redhat openstack platform/13.0
- canonical/redhat ceph storage for ibm z systems
- version/redhat ceph storage for ibm z systems/4.0
- version/redhat ceph storage/4.0
- version/redhat ceph storage/5.0
- canonical/redhat ceph storage for power
- version/redhat ceph storage for power/4.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/7.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/37