Main Vulnerability Database SB2021101280

SB2021101280 - SUSE update for the Linux Kernel

Published: October 12, 2021 Updated: June 28, 2025

Security Bulletin ID SB2021101280

Severity

Medium

Patch available

YES

Number of vulnerabilities 6

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Cryptographic Issues (CVE-ID: CVE-2020-3702)

The vulnerability allows a remote attacker to gain access top sensitive information.

The vulnerability exists due to improper input validation in WIFI driver(Krook). A remote attacker can temporary disable WPA2 or the WPA/WPA2 mixed-mode encryption and intercept traffic in clear text.

2) Resource exhaustion (CVE-ID: CVE-2021-3669)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to measuring usage of the shared memory does not scale with large shared memory segment counts. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Memory leak (CVE-ID: CVE-2021-3744)

The vulnerability allows a local user to perform DoS attack on the target system.

The vulnerability exists due memory leak in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c. A local user can force the application to leak memory and perform denial of service attack.

4) Use-after-free (CVE-ID: CVE-2021-3752)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the Linux kernel’s Bluetooth subsystem when a user calls connect to the socket and disconnect simultaneously. A local user can escalate privileges on the system.

5) Memory leak (CVE-ID: CVE-2021-3764)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak error in the ccp_run_aes_gcm_cmd() function in Linux kernel. A local user can trigger a memory leak error and perform a denial of service (DoS) attack.

6) Race condition (CVE-ID: CVE-2021-40490)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2021/suse-su-20213339-1/

Vulnerable Software

SUSE Linux Enterprise Module for Realtime: 15-SP2
SUSE MicroOS: 5.0
kernel-source-rt: before 5.3.18-54.1
kernel-devel-rt: before 5.3.18-54.1
ocfs2-kmp-rt-debuginfo: before 5.3.18-54.1
ocfs2-kmp-rt: before 5.3.18-54.1
kernel-syms-rt: before 5.3.18-54.1
kernel-rt_debug-devel-debuginfo: before 5.3.18-54.1
kernel-rt_debug-devel: before 5.3.18-54.1
kernel-rt_debug-debugsource: before 5.3.18-54.1
kernel-rt_debug-debuginfo: before 5.3.18-54.1
kernel-rt_debug: before 5.3.18-54.1
kernel-rt-devel-debuginfo: before 5.3.18-54.1
kernel-rt-devel: before 5.3.18-54.1
gfs2-kmp-rt-debuginfo: before 5.3.18-54.1
gfs2-kmp-rt: before 5.3.18-54.1
dlm-kmp-rt-debuginfo: before 5.3.18-54.1
dlm-kmp-rt: before 5.3.18-54.1
cluster-md-kmp-rt-debuginfo: before 5.3.18-54.1
cluster-md-kmp-rt: before 5.3.18-54.1
kernel-rt-debugsource: before 5.3.18-54.1
kernel-rt-debuginfo: before 5.3.18-54.1
kernel-rt: before 5.3.18-54.1