Vulnerability Description
A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Storage Project | Storage | < 1.28.1 |
| Redhat | Openshift Container Platform | 4.0 |
| Redhat | Enterprise Linux | 8.0 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1939485Issue TrackingPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://unit42.paloaltonetworks.com/cve-2021-20291/ExploitThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1939485Issue TrackingPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://unit42.paloaltonetworks.com/cve-2021-20291/ExploitThird Party Advisory
FAQ
What is CVE-2021-20291?
CVE-2021-20291 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not ...
How severe is CVE-2021-20291?
CVE-2021-20291 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20291?
Check the references section above for vendor advisories and patch information. Affected products include: Storage Project Storage, Redhat Openshift Container Platform, Redhat Enterprise Linux, Fedoraproject Fedora.