CVE-2021-23840
Last modified
CVE-2021-23840 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. EPSS estimates a 50.73% chance of exploitation in the next 30 days.
Description
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | >= 1.0.2, < 1.0.2y |
| Openssl | Openssl | >= 1.1.1, < 1.1.1j |
| Debian | Debian Linux | 10.0 |
| Tenable | Log Correlation Engine | < 6.0.8 |
| Tenable | Nessus Network Monitor | 5.11.0 |
| Tenable | Nessus Network Monitor | 5.11.1 |
| Tenable | Nessus Network Monitor | 5.12.0 |
| Tenable | Nessus Network Monitor | 5.12.1 |
| Tenable | Nessus Network Monitor | 5.13.0 |
| Oracle | Business Intelligence | 5.5.0.0.0 |
| Oracle | Business Intelligence | 5.9.0.0.0 |
| Oracle | Business Intelligence | 12.2.1.3.0 |
| Oracle | Business Intelligence | 12.2.1.4.0 |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 |
| Oracle | Enterprise Manager For Storage Management | 13.4.0.0 |
| Oracle | Enterprise Manager Ops Center | 12.4.0.0 |
| Oracle | Graalvm | 19.3.5 |
| Oracle | Graalvm | 20.3.1.2 |
| Oracle | Graalvm | 21.0.0.2 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.6.0 |
| Oracle | Jd Edwards World Security | a9.4 |
| Oracle | Mysql Server | < 5.7.33 |
| Oracle | Mysql Server | >= 8.0.15, < 8.0.23 |
| Oracle | Nosql Database | < 20.3 |
| Mcafee | Epolicy Orchestrator | < 5.10.0 |
| Mcafee | Epolicy Orchestrator | 5.10.0 |
| Fujitsu | M10-1 Firmware | < xcp2410 |
| Fujitsu | M10-4 Firmware | < xcp2410 |
| Fujitsu | M10-4s Firmware | < xcp2410 |
| Fujitsu | M12-1 Firmware | < xcp2410 |
| Fujitsu | M12-2 Firmware | < xcp2410 |
| Fujitsu | M12-2s Firmware | < xcp2410 |
| Fujitsu | M10-1 Firmware | < xcp3110 |
| Fujitsu | M10-4 Firmware | < xcp3110 |
| Fujitsu | M10-4s Firmware | < xcp3110 |
| Fujitsu | M12-1 Firmware | < xcp3110 |
| Fujitsu | M12-2 Firmware | < xcp3110 |
| Fujitsu | M12-2s Firmware | < xcp3110 |
| Nodejs | Node.Js | >= 10.0.0, <= 10.12.0 |
| Nodejs | Node.Js | >= 10.13.0, < 10.24.0 |
| Nodejs | Node.Js | >= 12.0.0, <= 12.12.0 |
| Nodejs | Node.Js | >= 12.13.0, < 12.21.0 |
| Nodejs | Node.Js | >= 14.0.0, <= 14.14.0 |
| Nodejs | Node.Js | >= 15.0.0, < 15.10.0 |
| Nodejs | Node.Js | 14.15.0 |
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfThird Party Advisory
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846Third Party Advisory
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
- https://security.gentoo.org/glsa/202103-03Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210219-0009/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4855Third Party Advisory
- https://www.openssl.org/news/secadv/20210216.txtVendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.tenable.com/security/tns-2021-03Third Party Advisory
- https://www.tenable.com/security/tns-2021-09Third Party Advisory
- https://www.tenable.com/security/tns-2021-10Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfThird Party Advisory
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846Third Party Advisory
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
- https://security.gentoo.org/glsa/202103-03Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210219-0009/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4855Third Party Advisory
- https://www.openssl.org/news/secadv/20210216.txtVendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.tenable.com/security/tns-2021-03Third Party Advisory
- https://www.tenable.com/security/tns-2021-09Third Party Advisory
- https://www.tenable.com/security/tns-2021-10Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-23840?
How severe is CVE-2021-23840?
How do I fix CVE-2021-23840?
Are you affected by CVE-2021-23840?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST