CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors in libssl

2022-11-0800:00:00

Broadcom Security Response

support.broadcom.com

7.1 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

55.4%

JSON

Security Advisory ID : BSA-2022-1661

Component : OpenSSL

Revision : 1.0

****A flaw was found in the way OpenSSL verified certificates via the X509_verify_cert() function. X509_verify_cert() fuunction may return a negative return value to indicate an internal error (for example, out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be unexpected, and applications may not behave correctly as a result. The exact behavior will depend on the application, but it could result in crashes, infinite loops, or other similar incorrect responses.

****Products Confirmed Not Affected

No other Brocade Fibre Channel products are affected.