CVE-2021-3521
Summary
| CVE | CVE-2021-3521 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-08-22 15:15:00 UTC |
| Updated | 2023-02-12 23:41:00 UTC |
| Description | There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources. |
Risk And Classification
Problem Types: CWE-347
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal - Access to 24x7 support and knowledge | MISC | access.redhat.com | |
| 1941098 – (CVE-2021-3521) CVE-2021-3521 rpm: RPM does not require subkeys to have a valid binding signature | MISC | bugzilla.redhat.com | |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | MISC | access.redhat.com | |
| Validate and require subkey binding signatures on PGP public keys · rpm-software-management/rpm@bd36c5d · GitHub | MISC | github.com | |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | MISC | access.redhat.com | |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | MISC | access.redhat.com | |
| RPM: Multiple Vulnerabilities (GLSA 202210-22) — Gentoo security | GENTOO | security.gentoo.org | |
| Validate and require subkey binding signatures on PGP public keys by pmatilai · Pull Request #1795 · rpm-software-management/rpm · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159624 Oracle Enterprise Linux Security Update for rpm (ELSA-2022-0368)
- 183721 Debian Security Update for rpm (CVE-2021-3521)
- 240029 Red Hat Update for rpm (RHSA-2022:0254)
- 240052 Red Hat Update for rpm (RHSA-2022:0368)
- 240102 Red Hat Update for rpm (RHSA-2022:0634)
- 377369 Alibaba Cloud Linux Security Update for rpm (ALINUX3-SA-2022:0007)
- 502948 Alpine Linux Security Update for rpm
- 505817 Alpine Linux Security Update for rpm
- 671193 EulerOS Security Update for rpm (EulerOS-SA-2022-1015)
- 671227 EulerOS Security Update for rpm (EulerOS-SA-2022-1035)
- 671284 EulerOS Security Update for rpm (EulerOS-SA-2022-1234)
- 671300 EulerOS Security Update for rpm (EulerOS-SA-2022-1215)
- 672573 EulerOS Security Update for rpm (EulerOS-SA-2023-1335)
- 691000 Free Berkeley Software Distribution (FreeBSD) Security Update for rpm4 (0c52abde-717b-11ed-98ca-40b034429ecf)
- 710651 Gentoo Linux RPM Multiple Vulnerabilities (GLSA 202210-22)
- 903715 Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (10647)
- 903827 Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (10637)
- 904106 Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (10647-1)
- 904138 Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (10637-1)
- 940443 AlmaLinux Security Update for rpm (ALSA-2022:0368)
- 960109 Rocky Linux Security Update for rpm (RLSA-2022:368)
- 960692 Rocky Linux Security Update for rpm (RLSA-2022:0368)