CVE-2021-23840

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
opensslCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
opensslopenssl
1.0.2 ≤
𝑥
< 1.0.2y
opensslopenssl
1.1.1 ≤
𝑥
< 1.1.1j
debiandebian_linux
10.0
tenablelog_correlation_engine
𝑥
< 6.0.8
tenablenessus_network_monitor
5.11.0
tenablenessus_network_monitor
5.11.1
tenablenessus_network_monitor
5.12.0
tenablenessus_network_monitor
5.12.1
tenablenessus_network_monitor
5.13.0
oraclebusiness_intelligence
5.5.0.0.0
oraclebusiness_intelligence
5.9.0.0.0
oraclebusiness_intelligence
12.2.1.3.0
oraclebusiness_intelligence
12.2.1.4.0
oraclecommunications_cloud_native_core_policy
1.15.0
oracleenterprise_manager_for_storage_management
13.4.0.0
oracleenterprise_manager_ops_center
12.4.0.0
oraclegraalvm
19.3.5
oraclegraalvm
20.3.1.2
oraclegraalvm
21.0.0.2
oraclejd_edwards_enterpriseone_tools
𝑥
< 9.2.6.0
oraclemysql_server
𝑥
< 5.7.33
oraclemysql_server
8.0.15 ≤
𝑥
< 8.0.23
oraclenosql_database
𝑥
< 20.3
mcafeeepolicy_orchestrator
𝑥
< 5.10.0
mcafeeepolicy_orchestrator
5.10.0
mcafeeepolicy_orchestrator
5.10.0:update_1
mcafeeepolicy_orchestrator
5.10.0:update_10
mcafeeepolicy_orchestrator
5.10.0:update_2
mcafeeepolicy_orchestrator
5.10.0:update_3
mcafeeepolicy_orchestrator
5.10.0:update_4
mcafeeepolicy_orchestrator
5.10.0:update_5
mcafeeepolicy_orchestrator
5.10.0:update_6
mcafeeepolicy_orchestrator
5.10.0:update_7
mcafeeepolicy_orchestrator
5.10.0:update_8
mcafeeepolicy_orchestrator
5.10.0:update_9
nodejsnode.js
10.0.0 ≤
𝑥
≤ 10.12.0
nodejsnode.js
10.13.0 ≤
𝑥
< 10.24.0
nodejsnode.js
12.0.0 ≤
𝑥
≤ 12.12.0
nodejsnode.js
12.13.0 ≤
𝑥
< 12.21.0
nodejsnode.js
14.0.0 ≤
𝑥
≤ 14.14.0
nodejsnode.js
15.0.0 ≤
𝑥
< 15.10.0
nodejsnode.js
14.15.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
sid
3.3.2-2
fixed
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
Fixed 2020.11-4ubuntu0.1
released
groovy
ignored
focal
Fixed 0~20191122.bd85bf54-2ubuntu3.3
released
bionic
needed
xenial
needs-triage
trusty
dne
nodejs
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
needed
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
openssl
noble
Fixed 1.1.1j-1ubuntu1
released
mantic
Fixed 1.1.1j-1ubuntu1
released
lunar
Fixed 1.1.1j-1ubuntu1
released
kinetic
Fixed 1.1.1j-1ubuntu1
released
jammy
Fixed 1.1.1j-1ubuntu1
released
impish
Fixed 1.1.1j-1ubuntu1
released
hirsute
Fixed 1.1.1j-1ubuntu1
released
groovy
Fixed 1.1.1f-1ubuntu4.2
released
focal
Fixed 1.1.1f-1ubuntu2.2
released
bionic
Fixed 1.1.1-1ubuntu2.1~18.04.8
released
xenial
Fixed 1.0.2g-1ubuntu4.19
released
trusty
Fixed 1.0.1f-1ubuntu2.27+esm10
released
openssl1.0
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
Fixed 1.0.2n-1ubuntu5.6
released
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
https://kc.mcafee.com/corporate/index?page=content&id=SB10366
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://security.gentoo.org/glsa/202103-03
https://security.netapp.com/advisory/ntap-20210219-0009/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.debian.org/security/2021/dsa-4855
https://www.openssl.org/news/secadv/20210216.txt
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.tenable.com/security/tns-2021-03
https://www.tenable.com/security/tns-2021-09
https://www.tenable.com/security/tns-2021-10
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
https://kc.mcafee.com/corporate/index?page=content&id=SB10366
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://security.gentoo.org/glsa/202103-03
https://security.netapp.com/advisory/ntap-20210219-0009/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.debian.org/security/2021/dsa-4855
https://www.openssl.org/news/secadv/20210216.txt
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.tenable.com/security/tns-2021-03
https://www.tenable.com/security/tns-2021-09
https://www.tenable.com/security/tns-2021-10