{
  "threat_severity" : "Moderate",
  "public_date" : "2022-01-11T00:00:00Z",
  "bugzilla" : {
    "description" : "ceph: Ceph volume does not honour osd_dmcrypt_key_size",
    "id" : "2024788",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2024788"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-287",
  "details" : [ "A key length flaw was found in Red Hat Ceph Storage. An attacker can exploit the fact that the key length is incorrectly passed in an encryption algorithm to create a non random key, which is weaker and can be exploited for loss of confidentiality and integrity on encrypted disks.", "A key length flaw was found in Red Hat Ceph Storage. An attacker can exploit the fact that the key length is incorrectly passed in an encryption algorithm to create a non random key, which is weaker and can be exploited for loss of confidentiality and integrity on encrypted disks." ],
  "statement" : "Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.",
  "acknowledgement" : "Red Hat would like to thank Mark Kirkwood (Catalyst Cloud) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 4.3",
    "release_date" : "2022-05-05T00:00:00Z",
    "advisory" : "RHSA-2022:1716",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "ceph-2:14.2.22-110.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 5.1",
    "release_date" : "2022-04-04T00:00:00Z",
    "advisory" : "RHSA-2022:1174",
    "cpe" : "cpe:/a:redhat:ceph_storage:5.1::el8",
    "package" : "ceph-2:16.2.7-98.el8cp"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Out of support scope",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "ceph-common",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Will not fix",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:openstack:13"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3979\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3979" ],
  "name" : "CVE-2021-3979",
  "csaw" : false
}