CVE-2021-20291

A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
storage_projectstorage
𝑥
< 1.28.1
redhatopenshift_container_platform
4.0
redhatenterprise_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-containers-storage
bookworm
1.43.0+ds1-8
fixed
bullseye
no-dsa
sid
1.55.1+ds1-1
fixed
trixie
1.55.1+ds1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-containers-storage
bionic
dne
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
conmon
suse enterprise sap 15 SP3
2.0.30-150300.8.3.1
fixed
suse enterprise server 15 SP3
2.0.30-150300.8.3.1
fixed
libcontainers-common-20210626
suse enterprise desktop 15 SP3
150300.8.3.1
fixed
suse enterprise desktop 15 SP4
150400.1.3
fixed
suse enterprise sap 15 SP1
150100.3.15.1
fixed
suse enterprise sap 15 SP2
150100.3.15.1
fixed
suse enterprise sap 15 SP3
150300.8.3.1
fixed
suse enterprise sap 15 SP4
150400.1.3
fixed
suse enterprise server 15 SP1
150100.3.15.1
fixed
suse enterprise server 15 SP2
150100.3.15.1
fixed
suse enterprise server 15 SP3
150300.8.3.1
fixed
suse enterprise server 15 SP4
150400.1.3
fixed
libcontainers-common-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
libcontainers-default-policy-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
libcontainers-sles-mounts-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
libseccomp-devel
suse enterprise desktop 15 SP3
2.5.3-150300.10.5.1
fixed
suse enterprise sap 15 SP3
2.5.3-150300.10.5.1
fixed
suse enterprise server 15 SP3
2.5.3-150300.10.5.1
fixed
libseccomp2
suse enterprise desktop 15 SP3
2.5.3-150300.10.5.1
fixed
suse enterprise sap 15 SP3
2.5.3-150300.10.5.1
fixed
suse enterprise server 15 SP3
2.5.3-150300.10.5.1
fixed
podman
suse enterprise sap 15 SP3
3.4.4-150300.9.3.2
fixed
suse enterprise server 15 SP3
3.4.4-150300.9.3.2
fixed
podman-cni-config
suse enterprise sap 15 SP3
3.4.4-150300.9.3.2
fixed
suse enterprise server 15 SP3
3.4.4-150300.9.3.2
fixed
registries-conf-default-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
registries-conf-suse-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
buildah
RHEL 9
1:1.27.0-2.el9
fixed
buildah-tests
RHEL 9
1:1.27.0-2.el9
fixed
podman
RHEL 9
2:4.2.0-3.el9
fixed
podman-docker
RHEL 9
2:4.2.0-3.el9
fixed
podman-gvproxy
RHEL 9
2:4.2.0-3.el9
fixed
podman-plugins
RHEL 9
2:4.2.0-3.el9
fixed
podman-remote
RHEL 9
2:4.2.0-3.el9
fixed
podman-tests
RHEL 9
2:4.2.0-3.el9
fixed
skopeo
RHEL 9
2:1.9.2-1.el9
fixed
skopeo-tests
RHEL 9
2:1.9.2-1.el9
fixed
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1939485
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WX24EITRXVHDM5M223BVTJA2ODF2FSHI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM/
https://unit42.paloaltonetworks.com/cve-2021-20291/
https://bugzilla.redhat.com/show_bug.cgi?id=1939485
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WX24EITRXVHDM5M223BVTJA2ODF2FSHI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM/
https://unit42.paloaltonetworks.com/cve-2021-20291/