Bug 2069364 (CVE-2021-43085) - CVE-2021-43085 openssl: Insecure permissions vulnerability due to an error in the implementation of the CMAC_Final() function
Summary: CVE-2021-43085 openssl: Insecure permissions vulnerability due to an error in...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-43085
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2069365
TreeView+ depends on / blocked
 
Reported: 2022-03-28 19:14 UTC by Pedro Sampaio
Modified: 2025-01-09 05:07 UTC (History)
110 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-04-01 08:34:23 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2022-03-28 19:14:49 UTC 
An Insecure Permissions vulnerability exists in the OpenSSL Project 3.0 due to an error in the implementation of the CMAC_Final() function.

Upstream issue:

https://github.com/openssl/openssl/issues/16873
Comment 1 Simo Sorce 2022-03-28 20:58:20 UTC 
After reading the upstream issue I do not understand why you would open a security issue for this bug.
There is no vulnerability opened by misusing the API with the wrong cipher block. Simply the CMAC that you get is not interoperable with any correctly used one.

If you see a direct way to exploit this please let us know.
Otherwise, please just close this, the parent, and any related bugs as NOTABUG.
Note You need to log in before you can comment on or make changes to this bug.