Bug 1930310 (CVE-2021-23841) - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash()
Summary: CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_ha...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23841
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1935195 1935199 1935201 1935202 1930311 1930312 1930313 1930315 1932125 1932126 1932127 1935193 1935194 1935196 1935197 1935198 1935205 1936457 1936581 1940072 1940073
Blocks: 1930329
TreeView+ depends on / blocked
 
Reported: 2021-02-18 16:49 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:10 UTC (History)
64 users (show)

Fixed In Version: openssl 1.1.1j, openssl 1.0.2y
Doc Type: If docs needed, set a value
Doc Text:
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.
Clone Of:
Environment:
Last Closed: 2021-04-13 06:39:11 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:23 UTC
Red Hat Product Errata RHSA-2021:3798 0 None None None 2021-10-12 15:28:12 UTC
Red Hat Product Errata RHSA-2021:4198 0 None None None 2021-11-09 17:42:16 UTC
Red Hat Product Errata RHSA-2021:4424 0 None None None 2021-11-09 18:44:29 UTC
Red Hat Product Errata RHSA-2021:4613 0 None None None 2021-11-10 17:14:27 UTC
Red Hat Product Errata RHSA-2021:4614 0 None None None 2021-11-10 17:18:19 UTC
TianoCore 3266 0 None None None 2021-03-16 17:50:57 UTC

Description Guilherme de Almeida Suckevicz 2021-02-18 16:49:31 UTC 
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Reference:
https://www.openssl.org/news/secadv/20210216.txt
Comment 1 Guilherme de Almeida Suckevicz 2021-02-18 16:50:17 UTC 
Created compat-openssl10 tracking bugs for this issue:

Affects: fedora-all [bug 1930313]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1930312]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1930311]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 1930315]
Comment 4 Huzaifa S. Sidhpurwala 2021-02-24 03:11:50 UTC 
Mitigation:

As per upstream "The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources."
Comment 6 Huzaifa S. Sidhpurwala 2021-02-24 03:25:06 UTC 
Statement:

This is a a null pointer dereference in the X509_issuer_and_serial_hash()  function, which can result in crash if called by an application compiled with OpenSSL, by passing a specially-crafted certificate. OpenSSL internally does not use this function.
Comment 7 Huzaifa S. Sidhpurwala 2021-02-24 03:25:11 UTC 
External References:

https://www.openssl.org/news/secadv/20210216.txt
Comment 8 Huzaifa S. Sidhpurwala 2021-02-24 03:49:55 UTC 
Upstream commit: 
https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0

Upstream test for reproducing this at:
https://github.com/openssl/openssl/commit/55869f594f052561b11a2db6a7c42690051868de
Comment 17 Ted Jongseok Won 2021-03-23 01:41:39 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Application Platform 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 18 errata-xmlrpc 2021-04-13 00:09:38 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168
Comment 19 Product Security DevOps Team 2021-04-13 06:39:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23841
Comment 20 Jim Hart 2021-06-28 18:55:30 UTC 
I see this is closed, but RHEL7 still shows as affected here:  https://access.redhat.com/security/cve/cve-2021-23840
Can you please update it?  Thanks -jim
Comment 21 errata-xmlrpc 2021-08-06 00:50:19 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 24 errata-xmlrpc 2021-10-12 15:28:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3798 https://access.redhat.com/errata/RHSA-2021:3798
Comment 25 errata-xmlrpc 2021-11-09 17:42:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4198 https://access.redhat.com/errata/RHSA-2021:4198
Comment 26 errata-xmlrpc 2021-11-09 18:44:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4424 https://access.redhat.com/errata/RHSA-2021:4424
Comment 27 errata-xmlrpc 2021-11-10 17:14:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2021:4613 https://access.redhat.com/errata/RHSA-2021:4613
Comment 28 errata-xmlrpc 2021-11-10 17:18:15 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:4614 https://access.redhat.com/errata/RHSA-2021:4614
Note You need to log in before you can comment on or make changes to this bug.