CVE-2021-3667 — MEDIUM (6.5)

Q: How severe is CVE-2021-3667?

CVE-2021-3667 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-3667?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Libvirt, Redhat Enterprise Linux, Netapp Ontap Select Deploy Administration Utility, Debian Debian Linux.

Vulnerability Description

An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Libvirt	>= 4.1.0, <= 7.5.0
Redhat	Enterprise Linux	8.0
Netapp	Ontap Select Deploy Administration Utility	-
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-667

References

https://bugzilla.redhat.com/show_bug.cgi?id=1986094Issue TrackingVendor Advisory
https://gitlab.com/libvirt/libvirt/-/commit/447f69dec47e1b0bd15ecd7cd49a9fd3b050PatchThird Party Advisory
https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=447f69dec47e1b0bd15ecd7cd4Patch
https://lists.debian.org/debian-lts-announce/2024/04/msg00000.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202210-06Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0005/Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1986094Issue TrackingVendor Advisory
https://gitlab.com/libvirt/libvirt/-/commit/447f69dec47e1b0bd15ecd7cd49a9fd3b050PatchThird Party Advisory
https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=447f69dec47e1b0bd15ecd7cd4Patch
https://lists.debian.org/debian-lts-announce/2024/04/msg00000.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202210-06Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0005/Third Party Advisory

FAQ

What is CVE-2021-3667?

CVE-2021-3667 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not prope...

How severe is CVE-2021-3667?

CVE-2021-3667 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3667?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Libvirt, Redhat Enterprise Linux, Netapp Ontap Select Deploy Administration Utility, Debian Debian Linux.