CVE-2021-3667

Name
CVE-2021-3667
Description
An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1986094
Patch https://libvirt.org/git/?p=libvirt.git;a=commit;h=447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87
Patch https://gitlab.com/libvirt/libvirt/-/commit/447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87
CONFIRM https://security.netapp.com/advisory/ntap-20220331-0005/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:* libvirt >= None <= 7.5.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libvirt 3.12-main 6.6.0-r4 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable