CVE-2021-4048
First published: Wed Nov 17 2021(Updated: )
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openblas | <0.3.18 | 0.3.18 |
| Lapack Project Lapack | <=3.10.0 | |
| Openblas Project Openblas | <0.3.18 | |
| Julialang Julia | <=1.6.3 | |
| Julialang Julia | =1.7.0-beta1 | |
| Julialang Julia | =1.7.0-beta2 | |
| Julialang Julia | =1.7.0-beta3 | |
| Julialang Julia | =1.7.0-beta4 | |
| Julialang Julia | =1.7.0-rc1 | |
| Redhat Ceph Storage | =2.0 | |
| Redhat Ceph Storage | =3.0 | |
| Redhat Ceph Storage | =4.0 | |
| Redhat Ceph Storage | =5.0 | |
| Redhat Openshift Container Storage | =4.0 | |
| Redhat Openshift Data Foundation | =4.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| <=3.10.0 | ||
| <0.3.18 | ||
| <=1.6.3 | ||
| =1.7.0-beta1 | ||
| =1.7.0-beta2 | ||
| =1.7.0-beta3 | ||
| =1.7.0-beta4 | ||
| =1.7.0-rc1 | ||
| =2.0 | ||
| =3.0 | ||
| =4.0 | ||
| =5.0 | ||
| =4.0 | ||
| =4.0 | ||
| =8.0 | ||
| =34 | ||
| =35 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://vulndb.cyberriskanalytics.com/vulnerabilities/270365
- https://github.com/xianyi/OpenBLAS/commit/337b65133df174796794871b3988cd03426e6d41
- https://github.com/Reference-LAPACK/lapack/pull/625
- https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781
- https://github.com/JuliaLang/julia/issues/42415
- https://github.com/xianyi/OpenBLAS/commit/2be5ee3cca97a597f2ee2118808a2d5eacea050c
- https://github.com/xianyi/OpenBLAS/commit/fe497efa0510466fd93578aaf9da1ad8ed4edbe7
- https://github.com/xianyi/OpenBLAS/commit/ddb0ff5353637bb5f5ad060c9620e334c143e3d7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2029851
- https://access.redhat.com/errata/RHSA-2022:7639
- https://access.redhat.com/security/cve/cve-2021-4048
- https://access.redhat.com/errata/RHSA-2023:6832
- https://bugzilla.redhat.com/show_bug.cgi?id=2024358
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QFEVOCUG2UXMVMFMTU4ONJVDEHY2LW2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DROZM4M2QRKSD6FBO4BHSV2QMIRJQPHT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DROZM4M2QRKSD6FBO4BHSV2QMIRJQPHT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QFEVOCUG2UXMVMFMTU4ONJVDEHY2LW2/
Frequently Asked Questions
What is the severity of CVE-2021-4048?
The severity of CVE-2021-4048 is critical with a CVSS score of 9.1.
Which software versions are affected by CVE-2021-4048?
CVE-2021-4048 affects lapack through version 3.10.0 and OpenBLAS before version 0.3.18.
How can CVE-2021-4048 be exploited?
CVE-2021-4048 can be exploited by passing specially crafted inputs to the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack.
Is there a fix available for CVE-2021-4048?
Yes, a fix for CVE-2021-4048 is available. Update to a version of lapack after 3.10.0 or OpenBLAS after 0.3.18.
Where can I find more information about CVE-2021-4048?
More information about CVE-2021-4048 can be found at the following references: [Link 1](https://github.com/JuliaLang/julia/issues/42415), [Link 2](https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781), [Link 3](https://github.com/Reference-LAPACK/lapack/pull/625).
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-4048
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- package-manager/redhat
- vendor/lapack project
- canonical/lapack project lapack
- version/lapack project lapack/3.10.0
- vendor/openblas project
- canonical/openblas project openblas
- vendor/julialang
- canonical/julialang julia
- version/julialang julia/1.6.3
- version/julialang julia/1.7.0-beta1
- version/julialang julia/1.7.0-beta2
- version/julialang julia/1.7.0-beta3
- version/julialang julia/1.7.0-beta4
- version/julialang julia/1.7.0-rc1
- vendor/redhat
- canonical/redhat ceph storage
- version/redhat ceph storage/2.0
- version/redhat ceph storage/3.0
- version/redhat ceph storage/4.0
- version/redhat ceph storage/5.0
- canonical/redhat openshift container storage
- version/redhat openshift container storage/4.0
- canonical/redhat openshift data foundation
- version/redhat openshift data foundation/4.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35