search

witchcraze / NVD_CHECK

1 stars 0 forks source link

CHK NVD : CVE-2021-3609 - aaafbe6b #3691

Closed witchcraze closed 1 year ago

witchcraze commented 1 year ago

[CVE Configuration Update Request] Update Suggestion - CVE-2021-3609 - Cvss2 : 6.9 [CVE Configuration Update Request] Update Suggestion - CVE-2021-3609 - Cvss3 : 7

https://www.linuxkernelcves.com/cves/CVE-2021-3609 https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/blob/master/issues/CVE-2021-3609.yml https://github.com/witchcraze/NVD_CHECK/blob/main/kernel/CVE-2021-3609.json

- CVE-2021-3609
- Suggested Configuration
  - OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.14.0 up to (excluding) 4.14.240
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.19.0 up to (excluding) 4.19.198
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.4.0 up to (excluding) 4.4.276
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.9.0 up to (excluding) 4.9.276
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.10.0 up to (excluding) 5.10.50
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.12.0 up to (excluding) 5.12.17
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.13.0 up to (excluding) 5.13.2
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.14.0 up to (excluding) 5.14
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4.0 up to (excluding) 5.4.132
- Reference
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.14.240
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.19.198
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.4.276
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.9.276
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.10.50
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.12.17
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.13.2
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.14
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.4.132
- Reference (Commit)
  - can: bcm: delay release of struct bcm_op after synchronize_rcu()
    - Fixed by
      - 4.14.240 (630f13442f1472abe5013ef98f76a3bbca64dd80)
      - 4.19.198 (eabe65197876e4a0906eab784f5766c4c76098c7)
      - 4.4.276 (9c47fa9295ce58433cae4376240b738b126637d4)
      - 4.9.276 (545914a9f926b8b6c9193cdee352c1fa70e6df18)
      - 5.10.50 (b52e0cf0bfc1ede495de36aec86f6013efa18f60)
      - 5.12.17 (d8a5cf5cfc07a296c78bd515671e374b8d8db022)
      - 5.13.2 (014f8baa9d240c4cf7180d37abd625fd4a4527c8)
      - 5.14 (d5f9023fa61ee8b94f37a93f08e94b136cf1e463) (upstream)
      - 5.4.132 (70a9116b9e5ccd5332d3a60b359fb5902d268fd0)
    - Will be introduced by
      - https://github.com/torvalds/linux/commit/ffd980f976e7
  - can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done
    - Fixed by
      - 5.10.50 (f79ea4755f6bac95b8df24ca9a7df1707e72aa27)
      - 5.12.17 (78e99860bcc57bf3f89008a20221257c55dbb0ca)
      - 5.13.2 (54dc7c15743eac57e95cceccb255ffde204798d7)
      - 5.14 (22c696fed25c63c7f67508309820358b94a96b6d) (upstream)
      - 5.4.132 (12aad0220812e11581cceeeb2b4a8dd7b7d5b223)
    - Will be introduced by
      - 5.4 (25fe97cb7620)
      - 5.4 (9d71dd0c7009)
- I Checked
  - XXXXXXXXXXXXXXXXXXXXXXXXXXXX is written as upstream commit in each ChangeLog
  - From XXXXXXXX commit page, XXXXXXXXXXX is the most oldest in commit-branches area
  - For 3.16.35, there is related post at lkml
  - For 3.16 series, 3.16.35 is the next release from 3.16.7 which was released at 2014
  - https://mirrors.edge.kernel.org/pub/linux/kernel/v3.x/
  - XXXX
https://nvd.nist.gov/vuln/detail/CVE-2021-3609 URI Start(Ex) Start(Inc) End(Ex) End(Inc)
cpe:/o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4
cpe:/o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2
cpe:/o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1
cpe:/o:redhat:enterprise_linux_server_tus:8.4
cpe:/o:redhat:enterprise_linux_server_tus:8.2
cpe:/o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4
cpe:/o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2
cpe:/o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.1
cpe:/o:redhat:enterprise_linux_server_aus:8.4
cpe:/o:redhat:enterprise_linux_server_aus:8.2
cpe:/o:redhat:enterprise_linux_for_real_time_tus:8.2
cpe:/o:redhat:enterprise_linux_for_real_time_tus:8.0
cpe:/o:redhat:enterprise_linux_for_real_time_for_nfv_tus:8.2
cpe:/o:redhat:enterprise_linux_for_real_time_for_nfv_tus:8.0
cpe:/o:redhat:enterprise_linux_for_real_time_for_nfv:8.0
cpe:/o:redhat:enterprise_linux_for_real_time:8.0
cpe:/o:redhat:enterprise_linux_for_power_little_endian_eus:8.4
cpe:/o:redhat:enterprise_linux_for_power_little_endian_eus:8.2
cpe:/o:redhat:enterprise_linux_for_power_little_endian_eus:8.1
cpe:/o:redhat:enterprise_linux_for_ibm_z_systems_eus_s390x:8.1
cpe:/o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4
cpe:/o:redhat:enterprise_linux_eus:8.4
cpe:/o:redhat:enterprise_linux_eus:8.2
cpe:/o:redhat:enterprise_linux_eus:8.1
cpe:/o:redhat:enterprise_linux_aus:8.2
cpe:/o:netapp:h700s_firmware:-
cpe:/o:netapp:h700e_firmware:-
cpe:/o:netapp:h615c_firmware:-
cpe:/o:netapp:h610s_firmware:-
cpe:/o:netapp:h610c_firmware:-
cpe:/o:netapp:h500s_firmware:-
cpe:/o:netapp:h500e_firmware:-
cpe:/o:netapp:h410s_firmware:-
cpe:/o:netapp:h410c_firmware:-
cpe:/o:netapp:h300s_firmware:-
cpe:/o:netapp:h300e_firmware:-
cpe:/o:linux:linux_kernel:5.13:rc6
cpe:/o:linux:linux_kernel:5.13:rc5
cpe:/o:linux:linux_kernel:5.13:rc4
cpe:/o:linux:linux_kernel:5.13:rc3
cpe:/o:linux:linux_kernel:5.13:rc2
cpe:/o:linux:linux_kernel:5.13:rc1
cpe:/o:linux:linux_kernel 2.6.25 5.13
cpe:/a:redhat:virtualization_host:4.0
cpe:/a:redhat:virtualization:4.0
cpe:/a:redhat:openshift_container_platform:4.8
cpe:/a:redhat:openshift_container_platform:4.7
cpe:/a:redhat:openshift_container_platform:4.6
cpe:/a:redhat:codeready_linux_builder_for_power_little_endian_eus:8.4
cpe:/a:redhat:codeready_linux_builder_for_power_little_endian_eus:8.2
cpe:/a:redhat:codeready_linux_builder_for_power_little_endian_eus:8.1
cpe:/a:redhat:codeready_linux_builder_eus:8.4
cpe:/a:redhat:codeready_linux_builder_eus:8.2
cpe:/a:redhat:codeready_linux_builder_eus:8.1
cpe:/a:redhat:build_of_quarkus:1.0
cpe:/a:redhat:3scale_api_management:2.0
witchcraze commented 1 year ago 
- CVE-2021-3609
- Suggested Configuration
  - OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.25 up to (excluding) 4.4.276
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.5 up to (excluding) 4.9.276
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.10 up to (excluding) 4.14.240
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.198
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.132
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.50
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.12.17
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.13 up to (excluding) 5.13.2
- Reference
  - https://ubuntu.com/security/CVE-2021-3609
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.4.276
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.9.276
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.14.240
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.19.198
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.4.132
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.10.50
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.12.17
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.13.2
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.14
  - Introduce
    - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.4
- Reference (Commit)
  - can: bcm: delay release of struct bcm_op after synchronize_rcu()
    - Fixed by
      - 4.4.276 (9c47fa9295ce58433cae4376240b738b126637d4)
      - 4.9.276 (545914a9f926b8b6c9193cdee352c1fa70e6df18)
      - 4.14.240 (630f13442f1472abe5013ef98f76a3bbca64dd80)
      - 4.19.198 (eabe65197876e4a0906eab784f5766c4c76098c7)
      - 5.4.132 (70a9116b9e5ccd5332d3a60b359fb5902d268fd0)
      - 5.10.50 (b52e0cf0bfc1ede495de36aec86f6013efa18f60)
      - 5.12.17 (d8a5cf5cfc07a296c78bd515671e374b8d8db022)
      - 5.13.2 (014f8baa9d240c4cf7180d37abd625fd4a4527c8)
      - 5.14 (d5f9023fa61ee8b94f37a93f08e94b136cf1e463) (upstream)
    - Will be introduced by
      - https://github.com/torvalds/linux/commit/ffd980f976e7 (v2.6.25-rc1)
  - can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done
    - Fixed by
      - 5.4.132 (12aad0220812e11581cceeeb2b4a8dd7b7d5b223)
      - 5.10.50 (f79ea4755f6bac95b8df24ca9a7df1707e72aa27)
      - 5.12.17 (78e99860bcc57bf3f89008a20221257c55dbb0ca)
      - 5.13.2 (54dc7c15743eac57e95cceccb255ffde204798d7)
      - 5.14 (22c696fed25c63c7f67508309820358b94a96b6d) (upstream)
    - Will be introduced by
      - 5.4 (9d71dd0c7009)
- I Checked
  - From ubuntu page
    - Introduced by ffd980f976e7fd666c2e61bf8ab35107efd11828 Fixed by local-CVE-2021-3609-bcm|d5f9023fa61ee8b94f37a93f08e94b136cf1e463
    - Introduced by 9d71dd0c70099914fcd063135da3c580865e924c Fixed by local-CVE-2021-3609-j1939|22c696fed25c63c7f67508309820358b94a96b6d
  - d5f9023fa61ee8b94f37a93f08e94b136cf1e463 is written as upstream commit in each ChangeLog
  - 22c696fed25c63c7f67508309820358b94a96b6d is written as upstream commit in each ChangeLog
  - From ffd980f976e7 commit page, v2.6.25-rc1 is the most oldest in commit-branches area
  - 9d71dd0c7009 is written in ChangeLog-5.4