{
  "threat_severity" : "Moderate",
  "public_date" : "2021-04-28T00:00:00Z",
  "bugzilla" : {
    "description" : "lz4: memory corruption due to an integer overflow bug caused by memmove argument",
    "id" : "1954559",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1954559"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well." ],
  "statement" : "This flaw is out of support scope for Red Hat Enterprise Linux 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .",
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ Streams 2.1.0",
    "release_date" : "2022-04-13T00:00:00Z",
    "advisory" : "RHSA-2022:1345",
    "cpe" : "cpe:/a:redhat:amq_streams:2",
    "package" : "lz4"
  }, {
    "product_name" : "Red Hat AMQ Streams 2.7.0",
    "release_date" : "2024-05-30T00:00:00Z",
    "advisory" : "RHSA-2024:3527",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-06-29T00:00:00Z",
    "advisory" : "RHSA-2021:2575",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "lz4-0:1.8.3-3.el8_4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-controller-rhel8:v1.4.6-4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-log-reader-rhel8:v1.4.6-4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-must-gather-rhel8:v1.4.6-4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-operator-bundle:v1.4.6-5"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-registry-rhel8:v1.4.6-4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-rsync-transfer-rhel8:v1.4.6-4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-ui-rhel8:v1.4.6-4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8:v1.4.6-4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8:v1.4.6-3"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8:v1.4.6-4"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8:v1.4.6-5"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-migration-velero-rhel8:v1.4.6-5"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.4",
    "release_date" : "2021-07-21T00:00:00Z",
    "advisory" : "RHBA-2021:2854",
    "cpe" : "cpe:/a:redhat:rhmt:1.4::el7",
    "package" : "rhmtc/openshift-velero-plugin-rhel8:v1.4.6-4"
  }, {
    "product_name" : "RHAF Camel-K 1.8",
    "release_date" : "2022-09-09T00:00:00Z",
    "advisory" : "RHSA-2022:6407",
    "cpe" : "cpe:/a:redhat:integration:1",
    "package" : "lz4",
    "impact" : "low"
  }, {
    "product_name" : "RHINT Camel-Q 2.7",
    "release_date" : "2022-07-19T00:00:00Z",
    "advisory" : "RHSA-2022:5606",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2.7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "lz4",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Affected",
    "package_name" : "lz4",
    "cpe" : "cpe:/a:redhat:quarkus:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "lz4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "lz4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Affected",
    "package_name" : "lz4",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "lz4",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3520\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3520" ],
  "name" : "CVE-2021-3520",
  "csaw" : false
}