Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). Reference: https://www.openssl.org/news/secadv/20210216.txt
Created compat-openssl10 tracking bugs for this issue: Affects: fedora-all [bug 1930328] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1930327] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1930325] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 1930326]
External References: https://www.openssl.org/news/secadv/20210216.txt
Upstream commit: https://github.com/openssl/openssl/commit/6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
Statement: This flaw only affects applications which are compiled with OpenSSL and using EVP_CipherUpdate, EVP_EncryptUpdate or EVP_DecryptUpdate functions. When specially-crafted values are passed to these functions, it can cause the application to crash or behave incorrectly.
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23840
I see this is closed, but RHEL7 still shows as affected here: https://access.redhat.com/security/cve/cve-2021-23840 Can you please update it? Thanks -jim
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3798 https://access.redhat.com/errata/RHSA-2021:3798
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4198 https://access.redhat.com/errata/RHSA-2021:4198
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4424 https://access.redhat.com/errata/RHSA-2021:4424
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2021:4613 https://access.redhat.com/errata/RHSA-2021:4613
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:4614 https://access.redhat.com/errata/RHSA-2021:4614