Bug 2069364 (CVE-2021-43085)

Summary: CVE-2021-43085 openssl: Insecure permissions vulnerability due to an error in the implementation of the CMAC_Final() function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: adudiak, alcohan, aos-bugs, aprice, arachman, asoldano, bbaranow, bdettelb, berrange, bmaxwell, bootloader-eng-team, brian.stansberry, caswilli, cdewolf, cfergeau, chazlett, crobinso, crypto-team, csutherl, darran.lofthouse, dbelyavs, dfreiber, dhalasz, dkreling, dkuc, doconnor, dosoudil, drow, dueno, elima, epel-packagers-sig, erik-fedora, fjansen, fjuma, fmartine, gparvin, gzaronik, hkataria, istudens, ivassile, iweiss, jburrell, jclere, jforrest, jkoehler, jmitchel, jochrist, jramanat, jsamir, jtanner, jwong, jwon, kaycoth, kholdawa, krathod, kraxel, kshier, ktietz, lgao, lphiri, lveyde, marcandre.lureau, michal.skrivanek, michel, micjohns, mjg59, mosmerov, mperina, mpierce, msochure, mspacek, msvehla, mturk, njean, nobody, nwallace, owatkins, pahickey, pbonzini, pesilva, philmd, pjindal, pjones, plodge, pmackay, redhat-bugzilla, rfreiman, rhaigner, rharwood, rh-spice-bugs, rjones, rogbas, rstancel, rsvoboda, sahana, sbonazzo, smaestri, ssorce, stcannon, sthirugn, szappis, teagle, tmeszaro, tm, tom.jenkinson, virt-maint, virt-maint, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] An Insecure Permissions bug exists in the OpenSSL Project 3.0 due to an error in the implementation of the CMAC_Final() function.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-01 08:34:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2069365    

Description Pedro Sampaio 2022-03-28 19:14:49 UTC 
An Insecure Permissions vulnerability exists in the OpenSSL Project 3.0 due to an error in the implementation of the CMAC_Final() function.

Upstream issue:

https://github.com/openssl/openssl/issues/16873
Comment 1 Simo Sorce 2022-03-28 20:58:20 UTC 
After reading the upstream issue I do not understand why you would open a security issue for this bug.
There is no vulnerability opened by misusing the API with the wrong cipher block. Simply the CMAC that you get is not interoperable with any correctly used one.

If you see a direct way to exploit this please let us know.
Otherwise, please just close this, the parent, and any related bugs as NOTABUG.