CVE-2021-23840
HIGH7.5EPSS 0.46%Integer overflow in CipherUpdate
發布日:2021/8/25修改日:2024/12/16
也稱為:GHSA-qgm6-9472-pwq7ALPINE-CVE-2021-23840BIT-node-2021-23840BIT-node-min-2021-23840RUSTSEC-2021-0057
描述
Calls to `EVP_CipherUpdate`, `EVP_EncryptUpdate` and `EVP_DecryptUpdate` may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.
受影響套件(9)
- Alpine/opensslfrom 0, < 1.1.1j-r0
- Alpine/openssl3from 0, < 1.1.1j-r0
- Bitnami/node>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.21.0, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.15.1, >= 15.0.0, < 15.10.0
- Bitnami/node-min>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.21.0, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.15.1, >= 15.0.0, < 15.10.0
- crates.io/openssl-srcfrom 0, < 111.14.0
- crates.io/openssl-src>= 0.0.0-0, < 111.14.0
- Debian/opensslfrom 0, < 1.1.0l-1~deb9u3
- Debian/opensslfrom 0, < 1.1.1j-1
- Debian/openssl1.0from 0, < 1.0.2u-1~deb9u4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(31)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23840
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-23840
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-23840
- PATCHhttps://crates.io/crates/openssl-src
- PATCHhttps://github.com/alexcrichton/openssl-src-rs
- WEBhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- WEBhttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- WEBhttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
- WEBhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- WEBhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
- WEBhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
- WEBhttps://kc.mcafee.com/corporate/index?page=content&id=SB10366
- WEBhttps://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0057.html
- WEBhttps://security.gentoo.org/glsa/202103-03
- WEBhttps://security.netapp.com/advisory/ntap-20210219-0009
- WEBhttps://security.netapp.com/advisory/ntap-20210219-0009/
- WEBhttps://security.netapp.com/advisory/ntap-20240621-0006/
- WEBhttps://www.debian.org/security/2021/dsa-4855
- WEBhttps://www.openssl.org/news/secadv/20210216.txt
- WEBhttps://www.oracle.com/security-alerts/cpuApr2021.html
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttps://www.oracle.com/security-alerts/cpujan2022.html
- WEBhttps://www.oracle.com//security-alerts/cpujul2021.html
- WEBhttps://www.oracle.com/security-alerts/cpuoct2021.html
- WEBhttps://www.tenable.com/security/tns-2021-03
- WEBhttps://www.tenable.com/security/tns-2021-09
- WEBhttps://www.tenable.com/security/tns-2021-10