CVE-2021-3520

moderate-risk

Published 2021-06-02

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 5ff839680134437dbf4678f3d0c7b371d84f4964

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (8)

Lz4

Active Iq Unified Manager

Cloud Backup

Ontap Select Deploy Administration Utility

Communications Cloud Native Core Policy

Zfs Storage Appliance Kit

Universal Forwarder

Affected Vendors

Oracle Netapp Splunk Lz4 Project

References (10)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1954559

Third Party Advisory https://security.netapp.com/advisory/ntap-20211104-0005/

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1954559

Third Party Advisory https://security.netapp.com/advisory/ntap-20211104-0005/

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 14/34 · Moderate