CVE-2021-4209: Null Pointer Dereference
First published: Mon Jan 24 2022(Updated: )
A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/gnutls | <3.7.3 | 3.7.3 |
| GNU GnuTLS | <3.7.3 | |
| Redhat Enterprise Linux | =8.0 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Solidfire \& Hci Management Node | ||
| Netapp Hci Bootstrap Os | ||
| Netapp Hci Compute Node |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2021-4209
- https://bugzilla.redhat.com/show_bug.cgi?id=2044156
- https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568
- https://gitlab.com/gnutls/gnutls/-/issues/1306
- https://gitlab.com/gnutls/gnutls/-/merge_requests/1503
- https://security.netapp.com/advisory/ntap-20220915-0005/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2055368
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2055369
Frequently Asked Questions
What is CVE-2021-4209?
CVE-2021-4209 is a NULL pointer dereference flaw in GnuTLS that can cause a denial of service after authentication in rare circumstances.
How does CVE-2021-4209 affect GnuTLS?
CVE-2021-4209 affects GnuTLS versions up to and excluding 3.7.3, leading to a denial of service vulnerability.
What is the severity of CVE-2021-4209?
CVE-2021-4209 has a severity rating of 6.5 (medium).
Which software versions are affected by CVE-2021-4209?
GnuTLS versions up to and excluding 3.7.3 are affected by CVE-2021-4209.
How can I fix CVE-2021-4209?
To fix CVE-2021-4209, it is recommended to update GnuTLS to version 3.7.3 or higher.
- agent/references
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/remedy
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-4209
- agent/software-canonical-lookup
- agent/weakness
- agent/tags
- agent/event
- vendor/gnu
- canonical/gnu gnutls
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp solidfire \& hci management node
- canonical/netapp hci bootstrap os
- canonical/netapp hci compute node
- package-manager/redhat