CVE-2021-23841

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-23841
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-02-16 17:15:00 UTC
Updated2023-11-07 03:30:00 UTC
DescriptionThe OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Risk And Classification

Problem Types: CWE-476

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Apple Ipados All All All All
Operating System Apple Ipad Os All All All All
Operating System Apple Iphone Os All All All All
Operating System Apple Macos All All All All
Application Apple Safari All All All All
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 10.0 All All All
Application Netapp Oncommand Insight - All All All
Application Netapp Oncommand Workflow Automation - All All All
Application Netapp Snapcenter - All All All
Application Openssl Openssl All All All All
Application Openssl Openssl All All All All
Application Oracle Business Intelligence 12.2.1.3.0 All All All
Application Oracle Business Intelligence 12.2.1.4.0 All All All
Application Oracle Business Intelligence 5.5.0.0.0 All All All
Application Oracle Business Intelligence 5.9.0.0.0 All All All
Application Oracle Communications Cloud Native Core Policy 1.15.0 All All All
Application Oracle Enterprise Manager For Storage Management 13.4.0.0 All All All
Application Oracle Enterprise Manager Ops Center 12.4.0.0 All All All
Application Oracle Essbase 21.2 All All All
Application Oracle Graalvm 19.3.5 All All All
Application Oracle Graalvm 20.3.1.2 All All All
Application Oracle Graalvm 21.0.0.2 All All All
Application Oracle Jd Edwards World Security a9.4 All All All
Application Oracle Mysql Enterprise Monitor All All All All
Application Oracle Mysql Server All All All All
Application Oracle Peoplesoft Enterprise Peopletools 8.57 All All All
Application Oracle Peoplesoft Enterprise Peopletools 8.58 All All All
Application Oracle Peoplesoft Enterprise Peopletools 8.59 All All All
Application Oracle Zfs Storage Appliance Kit 8.8 All All All
Application Siemens Sinec Ins All All All All
Application Siemens Sinec Ins 1.0 - All All
Application Siemens Sinec Ins 1.0 sp1 All All
Application Tenable Nessus Network Monitor 5.11.0 All All All
Application Tenable Nessus Network Monitor 5.11.1 All All All
Application Tenable Nessus Network Monitor 5.12.0 All All All
Application Tenable Nessus Network Monitor 5.12.1 All All All
Application Tenable Nessus Network Monitor 5.13.0 All All All
Application Tenable Tenable.sc All All All All

References

ReferenceSourceLinkTags
git.openssl.org Git git.openssl.org
git.openssl.org Git - openssl.git/commitdiff git.openssl.org
Oracle Critical Patch Update Advisory - April 2022 MISC www.oracle.com
April 2021 MySQL Vulnerabilities in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
Public KB - SA44846 - OpenSSL Security Advisory CVE-2021-23841 CONFIRM kb.pulsesecure.net
About the security content of macOS Big Sur 11.4 - Apple Support CONFIRM support.apple.com
Oracle Critical Patch Update Advisory - July 2021 N/A www.oracle.com
cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf CONFIRM cert-portal.siemens.com
About the security content of iOS 14.6 and iPadOS 14.6 - Apple Support CONFIRM support.apple.com
OpenSSL: Multiple vulnerabilities (GLSA 202103-03) — Gentoo security GENTOO security.gentoo.org
Oracle Critical Patch Update Advisory - October 2021 MISC www.oracle.com
[R1] Nessus Network Monitor 5.13.1 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable® CONFIRM www.tenable.com
About the security content of Safari 14.1.1 - Apple Support CONFIRM support.apple.com
[R1] Stand-alone Security Patches Available for Tenable.sc versions 5.13.0 to 5.17.0 - Security Advisory | Tenable® CONFIRM www.tenable.com Third Party Advisory
Full Disclosure: APPLE-SA-2021-05-25-5 Safari 14.1.1 FULLDISC seclists.org
git.openssl.org Git - openssl.git/commitdiff CONFIRM git.openssl.org Vendor Advisory
Full Disclosure: APPLE-SA-2021-05-25-1 iOS 14.6 and iPadOS 14.6 FULLDISC seclists.org
February 2021 OpenSSL Vulnerabilities in NetApp Products | NetApp Product Security CONFIRM security.netapp.com Third Party Advisory
git.openssl.org Git - openssl.git/commitdiff CONFIRM git.openssl.org Patch, Vendor Advisory
Full Disclosure: APPLE-SA-2021-05-25-2 macOS Big Sur 11.4 FULLDISC seclists.org
www.openssl.org/news/secadv/20210216.txt CONFIRM www.openssl.org Vendor Advisory
Oracle Critical Patch Update Advisory - April 2021 MISC www.oracle.com
Debian -- Security Information -- DSA-4855-1 openssl DEBIAN www.debian.org Third Party Advisory
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Tavis Ormandy (Google)

Legacy QID Mappings

  • 159414 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-3798)
  • 159423 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-9478)
  • 159438 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-9528)
  • 159512 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-4424)
  • 159562 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2021-9561)
  • 174786 SUSE Enterprise Linux Security update for openssl-1_1 (SUSE-SU-2021:0754-1)
  • 174789 SUSE Enterprise Linux Security update for openssl-1_0_0 (SUSE-SU-2021:0769-1)
  • 174794 SUSE Enterprise Linux Security update for compat-openssl098 (SUSE-SU-2021:0793-1)
  • 174839 SUSE Enterprise Linux Security update for openssl (SUSE-SU-2021:0939-1)
  • 174858 SUSE Enterprise Linux Security update for openssl (SUSE-SU-2021:0939-1)
  • 179583 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (CVE-2021-23841)
  • 20221 Oracle MySQL April 2021 Critical Patch Update (CPUAPR2021)
  • 239678 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2021:3798)
  • 239793 Red Hat Update for edk2 security (RHSA-2021:4198)
  • 239823 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2021:4424)
  • 239865 Red Hat Update for red hat jboss core services apache Hypertext Transfer Protocol (HTTP) server 2.4.37 sp10 (RHSA-2021:4614)
  • 257128 CentOS Security Update for Open Secure Sockets Layer (OpenSSL) (CESA-2021:3798)
  • 296053 Oracle Solaris 11.4 Support Repository Update (SRU) 35.94.4 Missing (CPUJUL2021)
  • 296067 Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)
  • 330081 IBM AIX Multiple Vulnerabilities in Openssl (openssl_advisory33)
  • 352246 Amazon Linux Security Advisory for openssl11: ALAS2-2021-1612
  • 352296 Amazon Linux Security Update for Open Secure Sockets Layer (OpenSSL): AL2012-2021-339
  • 357333 Amazon Linux Security Advisory for edk2 : ALAS2-2024-2502
  • 375587 Apple Safari Multiple Vulnerabilities (HT212534)
  • 375588 Apple MacOS Big Sur 11.4 Not Installed (HT212529)
  • 377475 Alibaba Cloud Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ALINUX2-SA-2021:0056)
  • 379452 IBM Cognos Analytics Multiple Vulnerabilities (7123154)
  • 38845 Pulse Connect Secure and Pulse Policy Secure Multiple Vulnerabilities (SA44846)
  • 500497 Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)
  • 500565 Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)
  • 500764 Alpine Linux Security Update for openssl
  • 501164 Alpine Linux Security Update for openssl
  • 501983 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
  • 502902 Alpine Linux Security Update for openssl1.1-compat
  • 504256 Alpine Linux Security Update for openssl
  • 591311 Bosch Rexroth PRA-ES8P2S Ethernet-Switch Multiple Vulnerabilities (BOSCH-SA-247053-BT)
  • 610342 Apple iOS 14.6 and iPadOS 14.6 Security Update Missing
  • 670250 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL098e) (EulerOS-SA-2021-1826)
  • 670251 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1825)
  • 670315 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL11d) (EulerOS-SA-2021-1909)
  • 670316 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL098e) (EulerOS-SA-2021-1908)
  • 670317 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1907)
  • 670342 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1882)
  • 670369 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1956)
  • 670390 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-1935)
  • 670658 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2021-2416)
  • 670659 EulerOS Security Update for Open Secure Sockets Layer098e (OpenSSL098e) openssl098e (EulerOS-SA-2021-2417)
  • 670660 EulerOS Security Update for Open Secure Sockets Layer110f (openssl110f) (EulerOS-SA-2021-2418)
  • 670698 EulerOS Security Update for Compat-Open Secure Sockets Layer10 (compat-openssl10) (EulerOS-SA-2021-2456)
  • 670784 EulerOS Security Update for shim (EulerOS-SA-2021-2542)
  • 670808 EulerOS Security Update for shim (EulerOS-SA-2021-2566)
  • 690151 Free Berkeley Software Distribution (FreeBSD) Security Update for mysql (56ba4513-a1be-11eb-9072-d4c9ef517024)
  • 710009 Gentoo Linux OpenSSL Multiple Vulnerabilities (GLSA 202103-03)
  • 730228 McAfee Web Gateway Multiple Vulnerabilities (WP-3445, WP-3483, WP-3527, WP-3528, WP-3547, WP-3584,WP-3589,WP-3611)
  • 750308 OpenSUSE Security Update for openssl-1_0_0 (openSUSE-SU-2021:0430-1)
  • 750310 OpenSUSE Security Update for openssl-1_1 (openSUSE-SU-2021:0427-1)
  • 940020 AlmaLinux Security Update for edk2 (ALSA-2021:4198)
  • 940234 AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2021:4424)
  • 960698 Rocky Linux Security Update for edk2 (RLSA-2021:4198)
  • 960795 Rocky Linux Security Update for Open Secure Sockets Layer (OpenSSL) (RLSA-2021:4424)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report