CVE-2021-28361 — NULL Pointer Dereference in Storage Performance Development KIT

CWE-476 — NULL Pointer Dereference4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spdk Storage Performance Development KIT Msrc Azl3 Ceph 18.2.2-1 ON Azure Linux 3.0 Msrc Azl3 Ceph 18.2.2-8 ON Azure Linux 3.0 +3 more

Timeline

PublishedMar 13

Latest updateMay 24

Description

An issue was discovered in Storage Performance Development Kit (SPDK) before 20.01.01. If a PDU is sent to the iSCSI target with a zero length (but data is expected), the iSCSI target can crash with a NULL pointer dereference.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDspdk/storage_performance_development_kit< 20.01.01

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

▶msrcmsrc/azl3_ceph_18.2.2-1_on_azure_linux_3.0

▶msrcmsrc/azl3_ceph_18.2.2-8_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

GHSA-f2h7-8qhx-58qw: An issue was discovered in Storage Performance Development Kit (SPDK) before 20↗2022-05-24

▶

📋Vendor Advisories

Red Hat

spdk: NULL pointer dereference in the iSCSI target If a PDU is sent with a zero length↗2021-03-10

▶

Microsoft

An issue was discovered in Storage Performance Development Kit (SPDK) before 20.01.01. If a PDU is sent to the iSCSI target with a zero length (but data is expected) the iSCSI target can crash with a ↗2021-03-09

▶