CVE-2021-4048
First published: Wed Nov 17 2021(Updated: )
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openblas | <0.3.18 | 0.3.18 |
| liblapack3 | <=3.10.0 | |
| Red Hat OpenBLAS | <0.3.18 | |
| Julia | <=1.6.3 | |
| Julia | =1.7.0-beta1 | |
| Julia | =1.7.0-beta2 | |
| Julia | =1.7.0-beta3 | |
| Julia | =1.7.0-beta4 | |
| Julia | =1.7.0-rc1 | |
| Red Hat Ceph Storage | =2.0 | |
| Red Hat Ceph Storage | =3.0 | |
| Red Hat Ceph Storage | =4.0 | |
| Red Hat Ceph Storage | =5.0 | |
| Red Hat OpenShift Container Storage | =4.0 | |
| Red Hat OpenShift Data Foundation | =4.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Fedora | =34 | |
| Red Hat Fedora | =35 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://vulndb.cyberriskanalytics.com/vulnerabilities/270365
- https://github.com/xianyi/OpenBLAS/commit/337b65133df174796794871b3988cd03426e6d41
- https://github.com/Reference-LAPACK/lapack/pull/625
- https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781
- https://github.com/JuliaLang/julia/issues/42415
- https://github.com/xianyi/OpenBLAS/commit/2be5ee3cca97a597f2ee2118808a2d5eacea050c
- https://github.com/xianyi/OpenBLAS/commit/fe497efa0510466fd93578aaf9da1ad8ed4edbe7
- https://github.com/xianyi/OpenBLAS/commit/ddb0ff5353637bb5f5ad060c9620e334c143e3d7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2029851
- https://access.redhat.com/errata/RHSA-2022:7639
- https://access.redhat.com/security/cve/cve-2021-4048
- https://access.redhat.com/errata/RHSA-2023:6832
- https://bugzilla.redhat.com/show_bug.cgi?id=2024358
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QFEVOCUG2UXMVMFMTU4ONJVDEHY2LW2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DROZM4M2QRKSD6FBO4BHSV2QMIRJQPHT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DROZM4M2QRKSD6FBO4BHSV2QMIRJQPHT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QFEVOCUG2UXMVMFMTU4ONJVDEHY2LW2/
Frequently Asked Questions
What is the severity of CVE-2021-4048?
The severity of CVE-2021-4048 is critical with a CVSS score of 9.1.
Which software versions are affected by CVE-2021-4048?
CVE-2021-4048 affects lapack through version 3.10.0 and OpenBLAS before version 0.3.18.
How can CVE-2021-4048 be exploited?
CVE-2021-4048 can be exploited by passing specially crafted inputs to the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack.
Is there a fix available for CVE-2021-4048?
Yes, a fix for CVE-2021-4048 is available. Update to a version of lapack after 3.10.0 or OpenBLAS after 0.3.18.
Where can I find more information about CVE-2021-4048?
More information about CVE-2021-4048 can be found at the following references: [Link 1](https://github.com/JuliaLang/julia/issues/42415), [Link 2](https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781), [Link 3](https://github.com/Reference-LAPACK/lapack/pull/625).
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-4048
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/author
- agent/event
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/redhat
- vendor/lapack project
- canonical/liblapack3
- version/liblapack3/3.10.0
- vendor/openblas project
- canonical/red hat openblas
- vendor/julialang
- canonical/julia
- version/julia/1.6.3
- version/julia/1.7.0-beta1
- version/julia/1.7.0-beta2
- version/julia/1.7.0-beta3
- version/julia/1.7.0-beta4
- version/julia/1.7.0-rc1
- vendor/redhat
- canonical/red hat ceph storage
- version/red hat ceph storage/2.0
- version/red hat ceph storage/3.0
- version/red hat ceph storage/4.0
- version/red hat ceph storage/5.0
- canonical/red hat openshift container storage
- version/red hat openshift container storage/4.0
- canonical/red hat openshift data foundation
- version/red hat openshift data foundation/4.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/34
- version/red hat fedora/35