Skip to main content
News

Linux Vulnerabilities of the Week: May 10, 2021

By May 11, 2021November 10th, 2022No Comments
||

Linux Vulnerabilities of the Week: May 10, 2021

Are you caught up on May's latest Linux vulnerabilities? See this week's top issues and keep your IT environment protected.

1. Resource exhaustion because of receiving an invalid large TLS frame in Eclipse Jetty

Severity: Important    CVSS Score: 7.5

This is a vulnerability in Eclipse Jetty. When using SSL/TLS with Jetty, the server may receive an invalid large TLS frame that will be incorrectly handled, causing the situation that CPU usage reaches 100%.

The highest threat from this vulnerability is to service availability.

Syxscore Risk Alert

This vulnerability has a high risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-28165

2. The Bind 9 vulnerability

Severity: Important    CVSS Score: 7.5

This is a flaw in Bind due to which an assertion check fails when answering queries for DNAME records that require the DNAME to be processed to resolve itself.

The highest threat from this flaw is to system availability.

Syxscore Risk Alert

This vulnerability has a high risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-25215

3. A SMLLexer infinite loop flaw affecting Red Hat Enterprise Linux 8

Severity: Important  CVSS Score: 7.5

This is an infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 that may lead to denial of service when performing syntax highlighting of an SML source file, as demonstrated by the input that only contains the “exception” keyword.

The highest threat from this flaw is to system availability.

Syxscore Risk Alert

This vulnerability has a high risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-20270

4. Unauthorized global ID reuse in Ceph (<2.20)

Severity: Important    CVSS Score: 7.2

This is an authentication flaw in ceph. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn’t sanitize other_keys, allowing key reuse.

As ceph does not force the reuse of old keys to generate new ones, when an attacker requests a global_id, they can exploit the ability of any user to request a global_id that was associated with another user before.

The highest threat from this vulnerability is to data confidentiality and system availability.

Syxscore Risk Alert

This vulnerability has a high risk as though its exploitation requires high privileges, this can be exposed over any network, with low complexity, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-20288

5. Possible request smuggling in HTTP/2 in Netty (<1.60.Final)

Severity: Medium       CVSS Score: 5.9

This is a vulnerability in Netty that allows an attacker to smuggle requests inside the application’s body as it gets downgraded from HTTP/2 to HTTP/1.1

Syxscore Risk Alert

This vulnerability has a moderate risk as though it requires a complex attack it can be exposed over any network with no privileges and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-21295

Try Linux Patching with Syxsense

Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

Leave a Reply