CVE-2021-4115
First published: Mon Feb 21 2022(Updated: )
There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Polkit Project Polkit | =0.117 | |
| Redhat Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Canonical Ubuntu Linux | =20.04 | |
| Canonical Ubuntu Linux | =21.10 | |
| Debian Debian Linux | =11.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/172849/polkit-File-Descriptor-Exhaustion.html
- https://access.redhat.com/security/cve/cve-2021-4115
- https://gitlab.com/redhat/centos-stream/rpms/polkit/-/merge_requests/6/diffs?commit_id=bf900df04dc390d389e59aa10942b0f2b15c531e
- https://gitlab.freedesktop.org/polkit/polkit/-/issues/141
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGKWCBS6IDZYYDYM2WIWJM5BL7QQTWPF/
- https://www.oracle.com/security-alerts/cpujul2022.html
Frequently Asked Questions
What is CVE-2021-4115?
CVE-2021-4115 is a vulnerability in polkit that can allow an unprivileged user to cause polkit to crash due to process file descriptor exhaustion.
What is the severity of CVE-2021-4115?
The severity of CVE-2021-4115 is medium with a CVSS score of 5.5.
Which software is affected by CVE-2021-4115?
Red Hat Polkit, Red Hat Enterprise Linux 8.0, Fedoraproject Fedora 34 and 35, Canonical Ubuntu Linux 20.04 and 21.10, Debian Debian Linux 11.0, and Oracle ZFS Storage Appliance Kit 8.8 are affected by CVE-2021-4115.
How can an unprivileged user exploit CVE-2021-4115?
An unprivileged user can exploit CVE-2021-4115 by causing polkit to crash through process file descriptor exhaustion.
Is there a fix available for CVE-2021-4115?
Yes, there is a fix available for CVE-2021-4115. It is recommended to update the affected software to the latest version or apply the necessary patches.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/severity
- agent/remedy
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- vendor/polkit project
- canonical/polkit project polkit
- version/polkit project polkit/0.117
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/20.04
- version/canonical ubuntu linux/21.10
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- vendor/oracle
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8