CVE-2021-36222

Summary

CVE	CVE-2021-36222
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-07-22 18:15:00 UTC
Updated	2021-11-28 23:19:00 UTC
Description	ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

Risk And Classification

Problem Types: CWE-476

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Application	Mit	Kerberos 5	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Oncommand Insight	-	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Snapcenter	-	All	All	All
Application	Oracle	Mysql Server	All	All	All	All

References

Reference	Source	Link	Tags
Debian -- Security Information -- DSA-4944-1 krb5	DEBIAN	www.debian.org
Kerberos Security Advisories	MISC	web.mit.edu
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
Fix KDC null deref on bad encrypted challenge · krb5/krb5@fc98f52 · GitHub	CONFIRM	github.com
Releases · krb5/krb5 · GitHub	MISC	github.com
October 2021 MySQL Server Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
CVE-2021-36222 MIT Kerberos 5 Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159406 Oracle Enterprise Linux Security Update for krb5 (ELSA-2021-3576)
178721 Debian Security Update for krb5 (DSA 4944-1)
180209 Debian Security Update for krb5 (CVE-2021-36222)
199244 Ubuntu Security Notification for Kerberos Vulnerabilities (USN-5959-1)
20236 Oracle MySQL October 2021 Critical Patch Update (CPU October 2021)
239649 Red Hat Update for krb5 (RHSA-2021:3576)
281715 Fedora Security Update for krb5 (FEDORA-2021-8b25e4642f)
281728 Fedora Security Update for krb5 (FEDORA-2021-2bae525fd3)
377412 Alibaba Cloud Linux Security Update for krb5 (ALINUX3-SA-2021:0068)
500276 Alpine Linux Security Update for krb5
504041 Alpine Linux Security Update for krb5
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
670708 EulerOS Security Update for krb5 (EulerOS-SA-2021-2466)
670820 EulerOS Security Update for krb5 (EulerOS-SA-2021-2714)
670960 EulerOS Security Update for krb5 (EulerOS-SA-2021-2689)
690192 Free Berkeley Software Distribution (FreeBSD) Security Update for mysql (c9387e4d-2f5f-11ec-8be6-d4c9ef517024)
750992 SUSE Enterprise Linux Security Update for krb5 (SUSE-SU-2021:2800-1)
751001 OpenSUSE Security Update for krb5 (openSUSE-SU-2021:1182-1)
751021 OpenSUSE Security Update for krb5 (openSUSE-SU-2021:2800-1)
751680 OpenSUSE Security Update for samba (openSUSE-SU-2022:0283-1)
751994 SUSE Enterprise Linux Security Update for samba (SUSE-SU-2022:0283-1)
752251 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:2134-1)
752995 SUSE Enterprise Linux Security Update for grafana (SUSE-SU-2022:4428-1)
900399 Common Base Linux Mariner (CBL-Mariner) Security Update for krb5 (5994)
901253 Common Base Linux Mariner (CBL-Mariner) Security Update for krb5 (6607-1)
940422 AlmaLinux Security Update for krb5 (ALSA-2021:3576)