CVE-2021-23840

Summary

CVE	CVE-2021-23840
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-02-16 17:15:00 UTC
Updated	2023-11-07 03:30:00 UTC
Description	Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Risk And Classification

Problem Types: CWE-190

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Hardware	Fujitsu	M10-1	-	All	All	All
Operating System	Fujitsu	M10-1 Firmware	All	All	All	All
Hardware	Fujitsu	M10-4	-	All	All	All
Hardware	Fujitsu	M10-4s	-	All	All	All
Operating System	Fujitsu	M10-4s Firmware	All	All	All	All
Operating System	Fujitsu	M10-4 Firmware	All	All	All	All
Hardware	Fujitsu	M12-1	-	All	All	All
Operating System	Fujitsu	M12-1 Firmware	All	All	All	All
Hardware	Fujitsu	M12-2	-	All	All	All
Hardware	Fujitsu	M12-2s	-	All	All	All
Operating System	Fujitsu	M12-2s Firmware	All	All	All	All
Operating System	Fujitsu	M12-2 Firmware	All	All	All	All
Application	Mcafee	Epolicy Orchestrator	All	All	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	-	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_1	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_10	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_2	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_3	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_4	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_5	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_6	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_7	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_8	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_9	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	14.15.0	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Openssl	Openssl	All	All	All	All
Application	Openssl	Openssl	All	All	All	All
Application	Oracle	Business Intelligence	12.2.1.3.0	All	All	All
Application	Oracle	Business Intelligence	12.2.1.4.0	All	All	All
Application	Oracle	Business Intelligence	5.5.0.0.0	All	All	All
Application	Oracle	Business Intelligence	5.9.0.0.0	All	All	All
Application	Oracle	Communications Cloud Native Core Policy	1.15.0	All	All	All
Application	Oracle	Enterprise Manager For Storage Management	13.4.0.0	All	All	All
Application	Oracle	Enterprise Manager Ops Center	12.4.0.0	All	All	All
Application	Oracle	Graalvm	19.3.5	All	All	All
Application	Oracle	Graalvm	20.3.1.2	All	All	All
Application	Oracle	Graalvm	21.0.0.2	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Jd Edwards World Security	a9.4	All	All	All
Application	Oracle	Mysql Server	All	All	All	All
Application	Oracle	Nosql Database	All	All	All	All
Application	Tenable	Log Correlation Engine	All	All	All	All
Application	Tenable	Nessus Network Monitor	5.11.0	All	All	All
Application	Tenable	Nessus Network Monitor	5.11.1	All	All	All
Application	Tenable	Nessus Network Monitor	5.12.0	All	All	All
Application	Tenable	Nessus Network Monitor	5.12.1	All	All	All
Application	Tenable	Nessus Network Monitor	5.13.0	All	All	All

References

Reference	Source	Link	Tags
git.openssl.org Git - openssl.git/commitdiff		git.openssl.org
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8		lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Security Bulletin - ePolicy Orchestrator update addresses two product vulnerabilities (CVE-2021-31834 and CVE-2021-31835) and updates Java, OpenSSL, and Tomcat	CONFIRM	kc.mcafee.com
Public KB - SA44846 - OpenSSL Security Advisory CVE-2021-23841	CONFIRM	kb.pulsesecure.net
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org	Broken Link
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
OpenSSL: Multiple vulnerabilities (GLSA 202103-03) — Gentoo security	GENTOO	security.gentoo.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[R1] Nessus Network Monitor 5.13.1 Fixes Multiple Third-party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
[R1] LCE 6.0.9 Fixes Multiple Third-party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[R1] Stand-alone Security Patches Available for Tenable.sc versions 5.13.0 to 5.17.0 - Security Advisory \| Tenable®	CONFIRM	www.tenable.com	Third Party Advisory
git.openssl.org Git		git.openssl.org
February 2021 OpenSSL Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org	Patch, Vendor Advisory
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	CONFIRM	cert-portal.siemens.com
Pony Mail!	MLIST	lists.apache.org
[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8		lists.apache.org
www.openssl.org/news/secadv/20210216.txt	CONFIRM	www.openssl.org	Vendor Advisory
Oracle Critical Patch Update Advisory - April 2021	MISC	www.oracle.com
Debian -- Security Information -- DSA-4855-1 openssl	DEBIAN	www.debian.org	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Paul Kehrer

Legacy QID Mappings

159414 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-3798)
159423 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-9478)
159438 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-9528)
159512 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-4424)
159562 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-9561)
174786 SUSE Enterprise Linux Security update for openssl-1_1 (SUSE-SU-2021:0754-1)
174789 SUSE Enterprise Linux Security update for openssl-1_0_0 (SUSE-SU-2021:0769-1)
174794 SUSE Enterprise Linux Security update for compat-openssl098 (SUSE-SU-2021:0793-1)
174839 SUSE Enterprise Linux Security update for openssl (SUSE-SU-2021:0939-1)
174858 SUSE Enterprise Linux Security update for openssl (SUSE-SU-2021:0939-1)
180566 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (CVE-2021-23840)
198517 Ubuntu Security Notification for EDK II Vulnerabilities (USN-5088-1)
239678 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2021:3798)
239793 Red Hat Update for edk2 security (RHSA-2021:4198)
239823 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2021:4424)
239865 Red Hat Update for red hat jboss core services apache Hypertext Transfer Protocol (HTTP) server 2.4.37 sp10 (RHSA-2021:4614)
257128 CentOS Security Update for Open Secure Sockets Layer (OpenSSL) (CESA-2021:3798)
296067 Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)
330081 IBM AIX Multiple Vulnerabilities in Openssl (openssl_advisory33)
352246 Amazon Linux Security Advisory for openssl11: ALAS2-2021-1612
352296 Amazon Linux Security Update for Open Secure Sockets Layer (OpenSSL): AL2012-2021-339
357333 Amazon Linux Security Advisory for edk2 : ALAS2-2024-2502
375467 Node.js Multiple Vulnerabilities
375658 Node.js Multiple Vulnerabilities (February 2021) (Installed with Nodlist)
376544 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Open Secure Sockets Layer (OpenSSL) Vulnerability (K24624116)
377475 Alibaba Cloud Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ALINUX2-SA-2021:0056)
379452 IBM Cognos Analytics Multiple Vulnerabilities (7123154)
38845 Pulse Connect Secure and Pulse Policy Secure Multiple Vulnerabilities (SA44846)
500497 Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)
500565 Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)
500764 Alpine Linux Security Update for openssl
501164 Alpine Linux Security Update for openssl
501983 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
502902 Alpine Linux Security Update for openssl1.1-compat
504256 Alpine Linux Security Update for openssl
591054 Mitsubishi Electric MELSOFT GT OPC UA, GT SoftGOT2000 Multiple Vulnerabilities (ICSA-22-130-06)
591311 Bosch Rexroth PRA-ES8P2S Ethernet-Switch Multiple Vulnerabilities (BOSCH-SA-247053-BT)
670250 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL098e) (EulerOS-SA-2021-1826)
670251 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1825)
670315 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL11d) (EulerOS-SA-2021-1909)
670316 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL098e) (EulerOS-SA-2021-1908)
670317 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1907)
670342 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1882)
670369 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1956)
670390 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1935)
670658 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-2416)
670659 EulerOS Security Update for Open Secure Sockets Layer098e (OpenSSL098e) openssl098e (EulerOS-SA-2021-2417)
670660 EulerOS Security Update for Open Secure Sockets Layer110f (openssl110f) (EulerOS-SA-2021-2418)
670698 EulerOS Security Update for Compat-Open Secure Sockets Layer10 (compat-openssl10) (EulerOS-SA-2021-2456)
670784 EulerOS Security Update for shim (EulerOS-SA-2021-2542)
670808 EulerOS Security Update for shim (EulerOS-SA-2021-2566)
690211 Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (2f3cd69e-7dee-11eb-b92e-0022489ad614)
710009 Gentoo Linux OpenSSL Multiple Vulnerabilities (GLSA 202103-03)
730228 McAfee Web Gateway Multiple Vulnerabilities (WP-3445, WP-3483, WP-3527, WP-3528, WP-3547, WP-3584,WP-3589,WP-3611)
750308 OpenSUSE Security Update for openssl-1_0_0 (openSUSE-SU-2021:0430-1)
750310 OpenSUSE Security Update for openssl-1_1 (openSUSE-SU-2021:0427-1)
750335 OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:0372-1)
750340 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:0357-1)
91782 IBM Integration Bus and IBM App Connect Enterprise Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (6463979)
940020 AlmaLinux Security Update for edk2 (ALSA-2021:4198)
940234 AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2021:4424)
960698 Rocky Linux Security Update for edk2 (RLSA-2021:4198)
960795 Rocky Linux Security Update for Open Secure Sockets Layer (OpenSSL) (RLSA-2021:4424)