{
  "threat_severity" : "Important",
  "public_date" : "2021-01-13T00:00:00Z",
  "bugzilla" : {
    "description" : "tcmu-runner: SCSI target (LIO) write to any block on ILO backstore",
    "id" : "1916045",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1916045"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.", "A flaw was found in the Linux kernel’s implementation of the Linux SCSI target host, where an authenticated attacker could write to any block on the exported SCSI device backing store. This flaw allows an authenticated attacker to send LIO block requests to the Linux system to overwrite data on the backing store. The highest threat from this vulnerability is to integrity. In addition, this flaw affects the tcmu-runner package, where the affected SCSI command is called." ],
  "statement" : "This issue did not affect the version of tcmu-runner as shipped with Red Hat Gluster Storage 3, as it did not include support for Extended Copy (XCOPY). \nRed Hat Ceph Storage 3 and 4 are affected, as they ship an affected version of tcmu-runner with XCOPY.\nRed Hat OpenShift Container Storage (RHOCS) 4 shipped tcmu-runner package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of tcmu-runner package is no longer used and supported with the release of RHOCS 4.3.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 3 - ELS",
    "release_date" : "2021-05-06T00:00:00Z",
    "advisory" : "RHSA-2021:1518",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "ceph-2:12.2.12-139.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3 - ELS",
    "release_date" : "2021-05-06T00:00:00Z",
    "advisory" : "RHSA-2021:1518",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "ceph-ansible-0:3.2.56-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3 - ELS",
    "release_date" : "2021-05-06T00:00:00Z",
    "advisory" : "RHSA-2021:1518",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "cephmetrics-0:2.0.10-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3 - ELS",
    "release_date" : "2021-05-06T00:00:00Z",
    "advisory" : "RHSA-2021:1518",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "grafana-0:5.2.4-3.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3 - ELS",
    "release_date" : "2021-05-06T00:00:00Z",
    "advisory" : "RHSA-2021:1518",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "tcmu-runner-0:1.4.0-3.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 4.2",
    "release_date" : "2021-04-28T00:00:00Z",
    "advisory" : "RHSA-2021:1452",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "ceph-2:14.2.11-147.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 4.2",
    "release_date" : "2021-04-28T00:00:00Z",
    "advisory" : "RHSA-2021:1452",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "ceph-ansible-0:4.0.49.2-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 4.2",
    "release_date" : "2021-04-28T00:00:00Z",
    "advisory" : "RHSA-2021:1452",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "gperftools-0:2.6.3-3.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 4.2",
    "release_date" : "2021-04-28T00:00:00Z",
    "advisory" : "RHSA-2021:1452",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "tcmu-runner-0:1.5.2-2.el7cp"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Will not fix",
    "package_name" : "tcmu-runner",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "tcmu-runner",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3139\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3139" ],
  "name" : "CVE-2021-3139",
  "mitigation" : {
    "value" : "As this feature can be guarded behind an authentication and firewall rules, limit access with firewall rules and enforcing strong password hygiene.  This may not be a suitable option if many uncontrolled hosts mount the networked iSCSI device.",
    "lang" : "en:us"
  },
  "csaw" : false
}