Bug 1930324 (CVE-2021-23840) - CVE-2021-23840 openssl: integer overflow in CipherUpdate
Summary: CVE-2021-23840 openssl: integer overflow in CipherUpdate
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23840
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1930326 1930327 1930328 1932128 1932129 1935194 1935195 1935198 1935199 1935201 1935202 1935205 1940069 1930325 1932132 1935193 1935196 1935197 1936456 1936583 1940070
Blocks: 1930329
TreeView+ depends on / blocked
 
Reported: 2021-02-18 16:56 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-12 15:28 UTC (History)
65 users (show)

Fixed In Version: openssl 1.1.1j, openssl 1.0.2y
Doc Type: If docs needed, set a value
Doc Text:
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.
Clone Of:
Environment:
Last Closed: 2021-04-13 06:39:18 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:26 UTC
Red Hat Product Errata RHSA-2021:3798 0 None None None 2021-10-12 15:28:12 UTC
TianoCore 3266 0 None None None 2021-03-16 17:50:46 UTC

Description Guilherme de Almeida Suckevicz 2021-02-18 16:56:01 UTC
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Reference:
https://www.openssl.org/news/secadv/20210216.txt

Comment 1 Guilherme de Almeida Suckevicz 2021-02-18 16:56:40 UTC
Created compat-openssl10 tracking bugs for this issue:

Affects: fedora-all [bug 1930328]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1930327]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1930325]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 1930326]

Comment 5 Huzaifa S. Sidhpurwala 2021-02-24 03:28:22 UTC
External References:

https://www.openssl.org/news/secadv/20210216.txt

Comment 7 Huzaifa S. Sidhpurwala 2021-02-24 04:00:38 UTC
Upstream commit: https://github.com/openssl/openssl/commit/6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1

Comment 9 Huzaifa S. Sidhpurwala 2021-02-24 04:45:47 UTC
Statement:

This flaw only affects applications which are compiled with OpenSSL and using  EVP_CipherUpdate, EVP_EncryptUpdate or EVP_DecryptUpdate functions. When specially-crafted values are passed to these functions, it can cause the application to crash or behave incorrectly.

Comment 18 Ted Jongseok Won 2021-03-23 01:41:52 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Application Platform 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 19 errata-xmlrpc 2021-04-13 00:09:41 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168

Comment 20 Product Security DevOps Team 2021-04-13 06:39:18 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23840

Comment 21 Jim Hart 2021-06-28 18:56:48 UTC
I see this is closed, but RHEL7 still shows as affected here:  https://access.redhat.com/security/cve/cve-2021-23840
Can you please update it?  Thanks -jim

Comment 24 errata-xmlrpc 2021-08-06 00:50:21 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016

Comment 28 errata-xmlrpc 2021-10-12 15:28:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3798 https://access.redhat.com/errata/RHSA-2021:3798


Note You need to log in before you can comment on or make changes to this bug.