CVE-2021-3520 – CVE-2021-3520 is an integer overflow vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-3520?

CVE-2021-3520 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3520 is an integer overflow vulnerability in the LZ4 compression library that allows attackers to trigger out-of-bounds writes by submitting crafted files. This can lead to application crashes (availability impact) or potentially arbitrary code execution (confidentiality/integrity impact). Any application or system using vulnerable versions of LZ4 is affected.

📋 TL;DR

CVE-2021-3520 is an integer overflow vulnerability in the LZ4 compression library that allows attackers to trigger out-of-bounds writes by submitting crafted files. This can lead to application crashes (availability impact) or potentially arbitrary code execution (confidentiality/integrity impact). Any application or system using vulnerable versions of LZ4 is affected.

💻 Affected Systems

Products:

LZ4 library
Applications using LZ4 compression
Red Hat Enterprise Linux
Oracle products
NetApp products

Versions: LZ4 versions before 1.9.3

Operating Systems: Linux distributions, Various Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that processes untrusted LZ4-compressed files is vulnerable. The vulnerability is in the library itself, not specific applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes causing denial of service, with potential for limited memory corruption.

🟢

If Mitigated

Application crashes with no data compromise if proper sandboxing and memory protections are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires submitting a crafted LZ4 file to a vulnerable application. No authentication is needed if the application accepts external files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LZ4 1.9.3 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1954559

Restart Required: Yes

Instructions:

1. Update LZ4 library to version 1.9.3 or later. 2. Rebuild any statically linked applications. 3. Restart affected services. 4. For OS packages, use your distribution's package manager (yum update lz4, apt upgrade liblz4).

🔧 Temporary Workarounds

Input validation

all

Implement strict validation of LZ4 file inputs before processing

Memory protection

linux

Enable ASLR and other memory protection mechanisms

sysctl -w kernel.randomize_va_space=2

🧯 If You Can't Patch

Isolate vulnerable systems from untrusted networks
Implement strict file upload controls and scanning for LZ4 files

🔍 How to Verify

Check if Vulnerable:

Check LZ4 library version: lz4 --version or check package version (rpm -q lz4, dpkg -l liblz4)

Check Version:

lz4 --version 2>/dev/null | head -1 || rpm -q lz4 || dpkg -l liblz4* | grep ^ii

Verify Fix Applied:

Confirm LZ4 version is 1.9.3 or higher and test with known malicious LZ4 files

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory corruption errors in application logs
Unexpected process termination

Network Indicators:

Unusual LZ4 file uploads to applications
Traffic patterns indicating file upload exploitation

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "SIGSEGV" OR "out of bounds")

📊 Metadata

CVE ID: CVE-2021-3520

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: June 2, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1954559 Issue Tracking,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0005/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1954559 Issue Tracking,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0005/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3520, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Cloud Backup by Netapp

Communications Cloud Native Core Policy by Oracle

Lz4 by Lz4 Project

Ontap Select Deploy Administration Utility by Netapp

Universal Forwarder by Splunk

Universal Forwarder by Splunk

Universal Forwarder by Splunk

Zfs Storage Appliance Kit by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation

Memory protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities