GitHub Advisory DatabaseGHSA-84RM-QF37-FGC2Integer Overflow in openssl-src
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
0.004 Low
EPSS
Percentile
74.2%
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| openssl-src | lt | 111.14.0 |
References
seclists.org/fulldisclosure/2021/May/67
seclists.org/fulldisclosure/2021/May/68
seclists.org/fulldisclosure/2021/May/70
cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
github.com/advisories/GHSA-84rm-qf37-fgc2
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
nvd.nist.gov/vuln/detail/CVE-2021-23841
rustsec.org/advisories/RUSTSEC-2021-0058
rustsec.org/advisories/RUSTSEC-2021-0058.html
security.gentoo.org/glsa/202103-03
security.netapp.com/advisory/ntap-20210219-0009/
security.netapp.com/advisory/ntap-20210513-0002/
support.apple.com/kb/HT212528
support.apple.com/kb/HT212529
support.apple.com/kb/HT212534
www.debian.org/security/2021/dsa-4855
www.openssl.org/news/secadv/20210216.txt
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpuoct2021.html
www.tenable.com/security/tns-2021-03
www.tenable.com/security/tns-2021-09
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
0.004 Low
EPSS
Percentile
74.2%