Vulnerability Description
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | Nginx | >= 0.6.18, < 1.20.1 |
| Openresty | Openresty | < 1.19.3.2 |
| Fedoraproject | Fedora | 33 |
| Netapp | Ontap Select Deploy Administration Utility | - |
| Oracle | Blockchain Platform | < 21.1.2 |
| Oracle | Communications Control Plane Monitor | 3.4 |
| Oracle | Communications Fraud Monitor | >= 3.4, <= 4.4 |
| Oracle | Communications Operations Monitor | 3.4 |
| Oracle | Communications Session Border Controller | 8.4 |
| Oracle | Enterprise Communications Broker | 3.3.0 |
| Oracle | Enterprise Session Border Controller | 8.4 |
| Oracle | Enterprise Telephony Fraud Monitor | 3.4 |
| Oracle | Goldengate | < 21.4.0.0.0 |
Related Weaknesses (CWE)
References
- http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.htmlMailing ListPatchVendor Advisory
- http://packetstormsecurity.com/files/167720/Nginx-1.20.0-Denial-Of-Service.htmlThird Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/r37e6b2165f7c910d8e15fd54f4697857619ad2625f
- https://lists.apache.org/thread.html/r4d4966221ca399ce948ef34884652265729d7d9ef8
- https://lists.apache.org/thread.html/r6fc5c57b38e93e36213e9a18c8a4e5dbd5ced1c7e5
- https://lists.apache.org/thread.html/rf232eecd47fdc44520192810560303073cefd684b3
- https://lists.apache.org/thread.html/rf318aeeb4d7a3a312734780b47de83cefb7e6995da
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20210708-0006/Third Party Advisory
- https://support.f5.com/csp/article/K12331123%2C
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.htmlMailing ListPatchVendor Advisory
FAQ
What is CVE-2021-23017?
CVE-2021-23017 is a vulnerability with a CVSS score of 7.7 (HIGH). A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process cras...
How severe is CVE-2021-23017?
CVE-2021-23017 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23017?
Check the references section above for vendor advisories and patch information. Affected products include: F5 Nginx, Openresty Openresty, Fedoraproject Fedora, Netapp Ontap Select Deploy Administration Utility, Oracle Blockchain Platform.