Bug 1963146 (CVE-2021-22901)
Summary: | CVE-2021-22901 curl: Use-after-free in TLS session handling when using OpenSSL TLS backend | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | amctagga, andrew.slice, anharris, bniver, bodavis, csutherl, dbhole, flucifre, gmeno, gzaronik, hhorak, hvyas, jclere, jorton, jwon, kanderso, kaycoth, kdudka, krathod, luhliari, lvaleeva, mbenjamin, mhackett, msekleta, mturk, omajid, paul, pjindal, rwagner, security-response-team, sostapov, svashisht, szappis, thoger, vereddy, vmugicag |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.77.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A use-after-free flaw was found in the way curl handled TLS session data. The curl versions using the OpenSSL library as their TLS backend could use freed memory after TLS session renegotiation was performed by the OpenSSL library. A malicious TLS server could use this flaw to crash or, possibly, execute arbitrary code with the privileges of a client application using the curl library.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-17 15:05:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1963867, 1963900, 1964815 | ||
Bug Blocks: | 1962160 |
Description
Dhananjay Arunesh
2021-05-21 14:50:48 UTC
Upstream advisory notes that this issue affects curl version using OpenSSL (or its forks BoringSSL or libressl) as TLS backend. It also requires the use of curl's "multi" interface. Upstream also notes that this issue was only introduce recently, in version 7.75.0 via this commit: https://github.com/curl/curl/commit/a304051620b92 This issue only affects versions 7.75.0 to 7.76.1, which are not included in any current version of Red Hat Enterprise Linux or Red Hat Software Collections. Fedora 34 is currently the only Fedora version shipped affected upstream curl version. Fedora 33 and earlier use versions prior to the first affected 7.75.0. RHCS 2 ships curl-7.29.0-32, which is not affected. Created curl tracking bugs for this issue: Affects: fedora-all [bug 1964815] Public now via upstream advisory: https://curl.se/docs/CVE-2021-22901.html Upstream commit: https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479 HackerOne report: https://hackerone.com/reports/1180380 This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22901 |