CVE-2021-22901
Published on: 06/11/2021 12:00:00 AM UTC
Last Modified on: 05/13/2022 05:30:00 PM UTC
Certain versions of Curl from Haxx contain the following vulnerability:
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
- CVE-2021-22901 has been assigned by
suppor[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 8.1 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| NETWORK | HIGH | NONE | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 6.8 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | MEDIUM | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| PARTIAL | PARTIAL | PARTIAL |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| July 2021 MySQL Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
CONFIRM security.netapp.com/advisory/ntap-20210723-0001/ |
| Oracle Critical Patch Update Advisory - April 2022 | www.oracle.com text/html |
MISC www.oracle.com/security-alerts/cpuapr2022.html |
| June 2021 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
CONFIRM security.netapp.com/advisory/ntap-20210727-0007/ |
| Oracle Critical Patch Update Advisory - July 2021 | www.oracle.com text/html |
MISC www.oracle.com//security-alerts/cpujul2021.html |
| curl - TLS session caching disaster - CVE-2021-22901 | curl.se text/html |
MISC curl.se/docs/CVE-2021-22901.html |
| Oracle Critical Patch Update Advisory - January 2022 | www.oracle.com text/html |
MISC www.oracle.com/security-alerts/cpujan2022.html |
| openssl: associate/detach the transfer from connection · curl/curl@7f4a9a9 · GitHub | github.com text/html |
MISC github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479 |
| HackerOne | hackerone.com text/html |
MISC hackerone.com/reports/1180380 |
| cert-portal.siemens.com application/pdf |
CONFIRM cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | |
| cert-portal.siemens.com application/pdf |
CONFIRM cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf |
Related QID Numbers
- 20225 Oracle MySQL July 2021 Critical Patch Update (CPU July 2021)
- 239451 Red Hat Update for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 (RHSA-2021:2472)
- 281101 Fedora Security Update for curl (FEDORA-2021-eb5b7c53a9)
- 296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
- 376367 Oracle Essbase Administration Services Security Update (CPUJAN2022)
- 376550 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUAPR2022)
- 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
- 500135 Alpine Linux Security Update for curl
- 590938 Siemens Industrial Devices Multiple Vulnerabilities (SSA-732250)
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 690068 Free Berkeley Software Distribution (FreeBSD) Security Update for mysql (38a4a043-e937-11eb-9b84-d4c9ef517024)
- 710078 Gentoo Linux cURL Multiple vulnerabilities (GLSA 202105-36)
- 730155 McAfee Web Gateway Multiple Vulnerabilities(WP-3580, WP-3656, WP-3815, WP-3878, WP-3882, WP-3934,WP-3935, WP-3936, WP-3999)
- 900067 CBL-Mariner Linux Security Update for curl 7.76.0
- 901903 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (6360-1)
- 903125 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (4370)
- 91779 Cygwin Curl Package Multiple Security Vulnerabilities
Known Affected Configurations (CPE V2.3)
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*:
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*:
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*:
- cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @mkviitanen |
libcurl vulnerabilities: curl.se/docs/CVE-2021-… curl.se/docs/CVE-2021-… curl.se/docs/CVE-2021-… | 2021-05-26 06:43:07 |
| @CVEreport |
CVE-2021-22901 : curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed… twitter.com/i/web/status/1… | 2021-06-11 16:14:29 |
| @LinInfoSec |
Openssl - CVE-2021-22901: curl.se/docs/CVE-2021-… | 2021-06-11 18:15:26 |
 /r/netcve |
CVE-2021-22901 | 2021-06-11 16:41:56 |