CVE-2021-3667
Summary
| CVE | CVE-2021-3667 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2022-03-02 23:15:00 UTC |
|---|
| Updated | 2024-04-01 13:16:00 UTC |
|---|
| Description | An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| libvirt.org Git - libvirt.git/commit |
MISC |
libvirt.org |
|
| lists.debian.org/debian-lts-announce/2024/04/msg00000.html |
|
lists.debian.org |
|
| 1986094 – (CVE-2021-3667) CVE-2021-3667 libvirt: Improper locking on ACL failure in virStoragePoolLookupByTargetPath API |
MISC |
bugzilla.redhat.com |
|
| storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath (447f69de) · Commits · libvirt / libvirt · GitLab |
MISC |
gitlab.com |
|
| CVE-2021-3667 Libvirt Vulnerability in NetApp Products | NetApp Product Security |
CONFIRM |
security.netapp.com |
|
| libvirt: Multiple Vulnerabilities (GLSA 202210-06) — Gentoo security |
GENTOO |
security.gentoo.org |
|
| Red Hat Customer Portal - Access to 24x7 support and knowledge |
MISC |
access.redhat.com |
|
| libvirt.org Git |
MISC |
libvirt.org |
|
| Red Hat Customer Portal - Access to 24x7 support and knowledge |
MISC |
access.redhat.com |
|
| Red Hat Customer Portal - Access to 24x7 support and knowledge |
MISC |
access.redhat.com |
|
| Red Hat Customer Portal - Access to 24x7 support and knowledge |
MISC |
access.redhat.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159468 Oracle Enterprise Linux Security Update for virt:ol and virt-devel:ol (ELSA-2021-4191)
- 183057 Debian Security Update for libvirt (CVE-2021-3667)
- 198763 Ubuntu Security Notification for libvirt Vulnerabilities (USN-5399-1)
- 239833 Red Hat Update for virt:rhel and virt-devel:rhel security (RHSA-2021:4191)
- 377413 Alibaba Cloud Linux Security Update for virt:rhel and virt-devel:rhel (ALINUX3-SA-2022:0119)
- 6000552 Debian Security Update for libvirt (DLA 3778-1)
- 710643 Gentoo Linux libvirt Multiple Vulnerabilities (GLSA 202210-06)
- 751003 OpenSUSE Security Update for libvirt (openSUSE-SU-2021:2812-1)
- 751189 SUSE Enterprise Linux Security Update for libvirt (SUSE-SU-2021:3277-1)
- 751282 SUSE Enterprise Linux Security Update for libvirt (SUSE-SU-2021:3540-1)
- 751327 OpenSUSE Security Update for libvirt (openSUSE-SU-2021:1451-1)
- 900734 Common Base Linux Mariner (CBL-Mariner) Security Update for libvirt (8881)
- 940172 AlmaLinux Security Update for virt:rhel and virt-devel:rhel (ALSA-2021:4191)
- 960274 Rocky Linux Security Update for virt:rhel and virt-devel:rhel (RLSA-2021:4191)
