CVE-2021-3672

Summary

CVE	CVE-2021-3672
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-11-23 19:15:00 UTC
Updated	2024-01-05 10:15:00 UTC
Description	A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	C-ares Project	C-ares	All	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Pgbouncer	Pgbouncer	All	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.7	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux Computer Node	1	All	All	All
Operating System	Redhat	Enterprise Linux Eus	7.7	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.1	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems	8.0	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.1	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian	8.0	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.1	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Update Services For Sap Solutions	8.1	All	All	All
Operating System	Redhat	Enterprise Linux Server Update Services For Sap Solutions	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Update Services For Sap Solutions	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Tus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	1	All	All	All
Application	Siemens	Sinec Infrastructure Network Services	All	All	All	All

References

Reference	Source	Link	Tags
Missing input validation on hostnames returned by DNS servers	MISC	c-ares.haxx.se
GLSA-202401-02		security.gentoo.org
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	CONFIRM	cert-portal.siemens.com
1988342 – (CVE-2021-3672) CVE-2021-3672 c-ares: Missing input validation of host names may lead to domain hijacking	MISC	bugzilla.redhat.com
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159398 Oracle Enterprise Linux Security Update for nodejs:12 (ELSA-2021-3623)
159408 Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2021-3666)
159827 Oracle Enterprise Linux Security Update for c-ares (ELSA-2022-2043)
178750 Debian Security Update for c-ares (DSA 4954-1)
178751 Debian Security Update for c-ares (DLA 2738-1)
179624 Debian Security Update for c-ares (CVE-2021-3672)
198455 Ubuntu Security Notification for c-ares vulnerability (USN-5034-1)
239590 Red Hat Update for rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:3281)
239591 Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:3280)
239645 Red Hat Update for nodejs:12 (RHSA-2021:3623)
239654 Red Hat Update for nodejs:12 (RHSA-2021:3639)
239655 Red Hat Update for nodejs:12 (RHSA-2021:3638)
239658 Red Hat Update for nodejs:14 (RHSA-2021:3666)
240295 Red Hat Update for c-ares (RHSA-2022:2043)
281816 Fedora Security Update for c (FEDORA-2021-0a60cbb948)
281821 Fedora Security Update for mingw (FEDORA-2021-001ec24fc5)
281822 Fedora Security Update for mingw (FEDORA-2021-c83b66abdb)
281869 Fedora Security Update for c (FEDORA-2021-52c89b44a9)
296060 Oracle Solaris 11.4 Support Repository Update (SRU) 37.0.1.101.1 Missing (CPUJUL2021)
352861 Amazon Linux Security Advisory for c-ares: ALAS-2021-1545
375877 Kibana Multiple Security Vulnerabilities (ESA-2021-21, ESA-2021-22, ESA-2021-24)
376035 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Node.js Vulnerabilities (K53225395)
377157 Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2021:0072)
500086 Alpine Linux Security Update for c-ares
500444 Alpine Linux Security Update for nodejs
501453 Alpine Linux Security Update for nodejs
501884 Alpine Linux Security Update for nodejs-current
502123 Alpine Linux Security Update for nodejs-current
503759 Alpine Linux Security Update for c-ares
504207 Alpine Linux Security Update for nodejs
505102 Alpine Linux Security Update for nodejs-current
670816 EulerOS Security Update for c-ares (EulerOS-SA-2021-2704)
670983 EulerOS Security Update for c-ares (EulerOS-SA-2021-2679)
670989 EulerOS Security Update for c-ares (EulerOS-SA-2021-2652)
671016 EulerOS Security Update for c-ares (EulerOS-SA-2021-2623)
671035 EulerOS Security Update for c-ares (EulerOS-SA-2021-2574)
691133 Free Berkeley Software Distribution (FreeBSD) Security Update for py39 (43e9ffd4-d6e0-11ed-956f-7054d21a9e2a)
710820 Gentoo Linux c-ares Multiple Vulnerabilities (GLSA 202401-02)
750967 SUSE Enterprise Linux Security Update for libcares2 (SUSE-SU-2021:2690-1)
750975 SUSE Enterprise Linux Security Update for c-ares (SUSE-SU-2021:2760-1)
750979 OpenSUSE Security Update for c-ares (openSUSE-SU-2021:2760-1)
751022 OpenSUSE Security Update for c-ares (openSUSE-SU-2021:1168-1)
751061 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:2875-1)
751071 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:1214-1)
751093 OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:2953-1)
751112 OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:1239-1)
751171 OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:3211-1)
751178 OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:1313-1)
900407 Common Base Linux Mariner (CBL-Mariner) Security Update for c-ares (6243)
904236 Common Base Linux Mariner (CBL-Mariner) Security Update for pgbouncer (11165)
904268 Common Base Linux Mariner (CBL-Mariner) Security Update for pgbouncer (11139)
940217 AlmaLinux Security Update for nodejs:12 (ALSA-2021:3623)
940388 AlmaLinux Security Update for nodejs:14 (ALSA-2021:3666)
940536 AlmaLinux Security Update for c-ares (ALSA-2022:2043)
960124 Rocky Linux Security Update for c-ares (RLSA-2022:2043)