PT-2021-1402 · Unknown+7 · Containers/Storage+7

Aviv Sasson

·

Published

2021-04-01

·

Updated

2024-06-15

·

CVE-2021-20291

CVSS v2.0

7.1

High

VectorAV:N/AC:M/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions: github.com/containers/storage versions prior to 1.28.1
Description: A deadlock issue occurs when processing a container image with an invalid tar archive layer, causing the code to wait indefinitely for the tar unpacked stream. This can be exploited by an attacker to craft a malicious image, leading to a Denial of Service (DoS) when downloaded and stored by an application using containers/storage.
Recommendations: For versions prior to 1.28.1, update to version 1.28.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the github.com/containers/storage module until a patch is available. Avoid using the DecompressStream function on untrusted archives to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Improper Locking

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-667

Related Identifiers

ALBA-2022:0348
ALSA-2021:4154
ALSA-2021_4154
ALSA-2022:7954
ALSA-2022:7955
ALSA-2022:8008
ALSA-2022_7955
ALSA-2022_8008
ALT-PU-2022-1252
AZL-44580
CESA-2021_4154
CVE-2021-20291
ELSA-2021-4154
ELSA-2022-7954
ELSA-2022-7955
ELSA-2022-8008
GHSA-7QW8-847F-PGGM
GO-2021-0100
MGASA-2023-0213
OPENSUSE-SU-2022:23018-1
OPENSUSE-SU-2022_23018-1
OPENSUSE-SU-2024:11757-1
RHSA-2021:1150
RHSA-2021:4154
RHSA-2021_4154
RHSA-2022:7954
RHSA-2022:7955
RHSA-2022:8008
RHSA-2022_7954
RHSA-2022_7955
RHSA-2022_8008
RLSA-2021:4154
RLSA-2021_4154
SUSE-SU-2022:23018-1
SUSE-SU-2022:3312-1
SUSE-SU-2022_23018-1
SUSE-SU-2022_3312-1

Affected Products

Alt Linux
Almalinux
Centos
Debian
Red Hat
Rocky Linux
Suse
Containers/Storage