CVE-2021-3522
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.
Analysis
GStreamer versions prior to 1.18.4 contain an out-of-bounds read vulnerability when processing malformed ID3v2 tags, potentially leading to denial of service through information disclosure or application crash. The vulnerability affects GStreamer itself and multiple NetApp products (Active IQ Unified Manager, E-Series Santricity, OnCommand suite, and HCI Management Node) that embed or depend on GStreamer libraries. An attacker can trigger this vulnerability by crafting a malicious audio file with specially formatted ID3v2 metadata and providing it to an application that uses the affected GStreamer library, though the EPSS score of 0.13% (32nd percentile) suggests limited real-world exploitation likelihood despite the moderate CVSS 5.5 rating.
Technical Context
The vulnerability exists in GStreamer's ID3v2 tag parsing implementation (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), a widely-used multimedia framework. ID3v2 is a metadata container standard embedded in audio files, primarily MP3s. The root cause is classified as CWE-125 (Out-of-bounds Read), occurring when the parser fails to properly validate tag boundary lengths before attempting memory access. An attacker crafts an ID3v2 tag with malformed frame size or offset values that cause the parser to read beyond allocated buffer boundaries. This affects downstream consumers including NetApp products: Active IQ Unified Manager (VMware vSphere and Windows variants), E-Series Santricity OS Controller, Santricity Storage Manager, Santricity Web Services Proxy, HCI Management Node, OnCommand Insight, OnCommand Workflow Automation, and Santricity Unified Manager, all of which process audio or multimedia content that may contain ID3v2 metadata.
Affected Products
GStreamer versions prior to 1.18.4 are affected (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*). Multiple NetApp products are affected: Active IQ Unified Manager (both VMware vSphere and Windows deployments), E-Series Santricity OS Controller, E-Series Santricity Storage Manager, E-Series Santricity Web Services (Web Services Proxy variant), HCI Management Node, OnCommand Insight, OnCommand Workflow Automation, and Santricity Unified Manager. The NetApp advisory (https://security.netapp.com/advisory/ntap-20211022-0004/) provides specific impact details. Oracle also confirmed impact in its October 2021 CPU advisory (https://www.oracle.com/security-alerts/cpuoct2021.html). Gentoo users are covered by GLSA 202208-31 (https://security.gentoo.org/glsa/202208-31).
Remediation
Upgrade GStreamer to version 1.18.4 or later from the official GStreamer project repository. NetApp customers should apply the vendor patch documented in advisory ntap-20211022-0004 (https://security.netapp.com/advisory/ntap-20211022-0004/), which includes updates for all affected products. For Red Hat/CentOS systems, update GStreamer packages via yum/dnf repositories (see Red Hat BZ#1954761 at https://bugzilla.redhat.com/show_bug.cgi?id=1954761). Gentoo users should follow the GLSA 202208-31 guidance. If immediate patching is unavailable, mitigate by restricting user access to untrusted audio files in environments where GStreamer processes user-supplied media, implementing file type validation to reject suspicious ID3v2 structures, and monitoring for crashes in GStreamer-dependent applications. Validate ID3v2 tags using dedicated metadata validators before processing.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today