CVE-2021-23840

Published on: 02/16/2021 12:00:00 AM UTC

Last Modified on: 10/22/2021 08:15:00 AM UTC

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Debian Linux from Debian contain the following vulnerability:

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

  • CVE-2021-23840 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo OpenSSL - OpenSSL version Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i)
  • Affected Vendor/Software: URL Logo OpenSSL - OpenSSL version Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x)

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE NONE HIGH

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE NONE PARTIAL

CVE References

Description Tags Link
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8
Security Bulletin - ePolicy Orchestrator update addresses two product vulnerabilities (CVE-2021-31834 and CVE-2021-31835) and updates Java, OpenSSL, and Tomcat kc.mcafee.com
text/html
URL Logo CONFIRM kc.mcafee.com/corporate/index?page=content&id=SB10366
Public KB - SA44846 - OpenSSL Security Advisory CVE-2021-23841 kb.pulsesecure.net
text/html
URL Logo CONFIRM kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
git.openssl.org Git - openssl.git/commitdiff Broken Link
git.openssl.org
text/xml
Inactive LinkNot Archived
URL Logo CONFIRM git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
Oracle Critical Patch Update Advisory - July 2021 www.oracle.com
text/html
URL Logo MISC www.oracle.com//security-alerts/cpujul2021.html
OpenSSL: Multiple vulnerabilities (GLSA 202103-03) — Gentoo security security.gentoo.org
text/html
URL Logo GENTOO GLSA-202103-03
Oracle Critical Patch Update Advisory - October 2021 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpuoct2021.html
[R1] Nessus Network Monitor 5.13.1 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable® www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2021-09
[R1] LCE 6.0.9 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable® www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2021-10
[R1] Stand-alone Security Patches Available for Tenable.sc versions 5.13.0 to 5.17.0 - Security Advisory | Tenable® Third Party Advisory
www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2021-03
February 2021 OpenSSL Vulnerabilities in NetApp Products | NetApp Product Security Third Party Advisory
security.netapp.com
text/html
URL Logo CONFIRM security.netapp.com/advisory/ntap-20210219-0009/
git.openssl.org Git - openssl.git/commitdiff Patch
Vendor Advisory
git.openssl.org
text/xml
URL Logo CONFIRM git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8
Vendor Advisory
www.openssl.org
text/plain
URL Logo CONFIRM www.openssl.org/news/secadv/20210216.txt
Oracle Critical Patch Update Advisory - April 2021 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpuApr2021.html
Debian -- Security Information -- DSA-4855-1 openssl Third Party Advisory
www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-4855

Related QID Numbers

  • 159414 Oracle Enterprise Linux Security Update for openssl (ELSA-2021-3798)
  • 159423 Oracle Enterprise Linux Security Update for openssl (ELSA-2021-9478)
  • 174786 SUSE Enterprise Linux Security update for openssl-1_1 (SUSE-SU-2021:0754-1)
  • 174789 SUSE Enterprise Linux Security update for openssl-1_0_0 (SUSE-SU-2021:0769-1)
  • 174794 SUSE Enterprise Linux Security update for compat-openssl098 (SUSE-SU-2021:0793-1)
  • 174839 SUSE Enterprise Linux Security update for openssl (SUSE-SU-2021:0939-1)
  • 174858 SUSE Enterprise Linux Security update for openssl (SUSE-SU-2021:0939-1)
  • 198517 Ubuntu Security Notification for EDK II Vulnerabilities (USN-5088-1)
  • 239678 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2021:3798)
  • 330081 IBM AIX Multiple Vulnerabilities in Openssl (openssl_advisory33)
  • 352246 Amazon Linux Security Advisory for openssl11: ALAS2-2021-1612
  • 352296 Amazon Linux Security Update for Open Secure Sockets Layer (OpenSSL): AL2012-2021-339
  • 375467 Node.js Multiple Vulnerabilities
  • 375658 Node.js Multiple Vulnerabilities (February 2021) (Installed with Nodlist)
  • 38845 Pulse Connect Secure and Pulse Policy Secure Multiple Vulnerabilities (SA44846)
  • 670250 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL098e) (EulerOS-SA-2021-1826)
  • 670251 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1825)
  • 670315 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL11d) (EulerOS-SA-2021-1909)
  • 670316 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL098e) (EulerOS-SA-2021-1908)
  • 670317 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1907)
  • 670342 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1882)
  • 670369 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1956)
  • 670390 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1935)
  • 670658 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-2416)
  • 670659 EulerOS Security Update for Open Secure Sockets Layer098e (OpenSSL098e) openssl098e (EulerOS-SA-2021-2417)
  • 670660 EulerOS Security Update for Open Secure Sockets Layer110f (openssl110f) (EulerOS-SA-2021-2418)
  • 670698 EulerOS Security Update for compat-openssl10 (EulerOS-SA-2021-2456)
  • 670784 EulerOS Security Update for shim (EulerOS-SA-2021-2542)
  • 670808 EulerOS Security Update for shim (EulerOS-SA-2021-2566)
  • 710009 Gentoo Linux OpenSSL Multiple Vulnerabilities (GLSA 202103-03)
  • 730228 McAfee Web Gateway Multiple Vulnerabilities (WP-3445, WP-3483, WP-3527, WP-3528, WP-3547, WP-3584,WP-3589,WP-3611)
  • 750308 OpenSUSE Security Update for openssl-1_0_0 (openSUSE-SU-2021:0430-1)
  • 750310 OpenSUSE Security Update for openssl-1_1 (openSUSE-SU-2021:0427-1)
  • 750335 OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:0372-1)
  • 750340 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:0357-1)
  • 91782 IBM Integration Bus and IBM App Connect Enterprise Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (6463979)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
DebianDebian Linux10.0AllAllAll
Operating
System
DebianDebian Linux10.0AllAllAll
ApplicationOpensslOpensslAllAllAllAll
ApplicationOpensslOpensslAllAllAllAll
ApplicationOracleEnterprise Manager Ops Center12.4.0.0AllAllAll
ApplicationOracleGraalvm19.3.5AllAllAll
ApplicationOracleGraalvm20.3.1.2AllAllAll
ApplicationOracleGraalvm21.0.0.2AllAllAll
ApplicationOracleMysql ServerAllAllAllAll
ApplicationOracleNosql DatabaseAllAllAllAll
ApplicationTenableLog Correlation EngineAllAllAllAll
ApplicationTenableNessus Network Monitor5.11.0AllAllAll
ApplicationTenableNessus Network Monitor5.11.1AllAllAll
ApplicationTenableNessus Network Monitor5.12.0AllAllAll
ApplicationTenableNessus Network Monitor5.12.1AllAllAll
ApplicationTenableNessus Network Monitor5.13.0AllAllAll
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*:
  • cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*:
  • cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*:
  • cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:*:

Discovery Credit

Paul Kehrer

Social Mentions

Source Title Posted (UTC)
Twitter Icon @GrupoICA_Ciber ?DEBIAN? Múltiples vulnerabilidades de severidad alta en productos DEBIAN: CVE-2020-13936,CVE-2021-23840 Más inf… twitter.com/i/web/status/1… 2021-04-01 07:55:10
Twitter Icon @nae2sho コマンドライン専用メール送信アプリ SMAIL v4.28 openSSL 1.1.1kにライブラリをバージョンアップ、 脆弱性対応しました。 (CVE-2021-23841、CVE-2021-23840) ※本アプリはGMA… twitter.com/i/web/status/1… 2021-04-03 01:34:12
Twitter Icon @kai_ri_0001 AXIS M3058 と P3807-PVE のfirmwareは10.5に成り、 OpenSSL upgraded to 1.1.1j to fix CVE-2021-23841 and CVE-2021-23840. だそうだ。 2021-05-21 10:08:42
Twitter Icon @tux_care We released the OpenSSL package with the fix for the CVE-2021-23840 within CentOS 6/CloudLinux OS 6/OracleLinux 6 e… twitter.com/i/web/status/1… 2021-06-17 17:36:19
Reddit Logo Icon /r/synology SRM 1.2.5 Released; up to 47% increase in SSL VPN performance 2021-05-11 18:51:58
Reddit Logo Icon /r/unifi_versions UniFi OS - Dream Machines 1.10.0 2021-07-09 07:50:12
© CVE.report 2021 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report