Lucene search

K
amazonAmazonALAS-2021-1541
HistoryOct 01, 2021 - 6:00 p.m.

Medium: openssl

2021-10-0118:00:00
alas.aws.amazon.com
21

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

0.004

Percentile

72.0%

Issue Overview:

It was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability. (CVE-2021-3712)

Affected Packages:

openssl

Issue Correction:
Run yum update openssl to update your system.

New Packages:

i686:  
    openssl-perl-1.0.2k-16.154.amzn1.i686  
    openssl-devel-1.0.2k-16.154.amzn1.i686  
    openssl-static-1.0.2k-16.154.amzn1.i686  
    openssl-1.0.2k-16.154.amzn1.i686  
    openssl-debuginfo-1.0.2k-16.154.amzn1.i686  
  
src:  
    openssl-1.0.2k-16.154.amzn1.src  
  
x86_64:  
    openssl-static-1.0.2k-16.154.amzn1.x86_64  
    openssl-perl-1.0.2k-16.154.amzn1.x86_64  
    openssl-devel-1.0.2k-16.154.amzn1.x86_64  
    openssl-debuginfo-1.0.2k-16.154.amzn1.x86_64  
    openssl-1.0.2k-16.154.amzn1.x86_64  

Additional References

Red Hat: CVE-2021-3712

Mitre: CVE-2021-3712

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

0.004

Percentile

72.0%