Bug 1939487 (CVE-2021-28361)

Summary: CVE-2021-28361 spdk: NULL pointer dereference in the iSCSI target If a PDU is sent with a zero length
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anharris, bniver, flucifre, gfidente, gmeno, hvyas, jdurgin, jjoyce, jschluet, lhh, lpeer, mbenjamin, mburns, mhackett, mhicks, sclewis, slinaber, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spdk 21.01.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the SPDK iSCSI target. A NULL pointer dereference resulted from a text PDU sent with a zero-length, resulting in a crash of the SPDK iCSCI target process. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1940644, 1942063    
Bug Blocks: 1939489    

Description Guilherme de Almeida Suckevicz 2021-03-16 13:35:12 UTC 
An issue was discovered in Storage Performance Development Kit (SPDK) before 20.01.01. If a PDU is sent to the iSCSI target with a zero length (but data is expected), the iSCSI target can crash with a NULL pointer dereference.

Reference:
https://github.com/spdk/spdk/releases/tag/v21.01.1
Comment 1 Sage McTaggart 2021-03-18 19:09:00 UTC 
External References:

https://github.com/spdk/spdk/releases/tag/v21.01.1
Comment 6 Hardik Vyas 2021-03-29 10:29:01 UTC 
Statement:

* Ceph in Red Hat Enterprise Linux is built without SPDK.

* Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP ceph package will not be updated at this time.

* Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of ceph package is no longer used and supported with the release of RHOCS 4.3.