Vulnerability CVE-2021-23840: Information

Description

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23840

Published: Feb. 16, 2021

Modified: Nov. 7, 2023

Error type identifier: CWE-190

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
MySQL	sisyphus	8.0.23-alt1	8.0.37-alt1.1	ALT-PU-2021-1338-1	266017	Fixed
MySQL	sisyphus_riscv64	8.0.27-alt1.0.rv64	8.0.30-alt0.2.rv64	ALT-PU-2021-4503-1	-	Fixed
MySQL	p10	8.0.23-alt1	8.0.36-alt1	ALT-PU-2021-1338-1	266017	Fixed
MySQL	p9	8.0.25-alt2	8.0.26-alt2	ALT-PU-2021-2380-1	277424	Fixed
MySQL	c10f1	8.0.23-alt1	8.0.36-alt1	ALT-PU-2021-1338-1	266017	Fixed
MySQL	c9f2	8.0.26-alt2	8.0.36-alt0.c9.1	ALT-PU-2021-3668-1	291746	Fixed
node	sisyphus	13.6.0-alt2	20.13.1-alt1	ALT-PU-2020-1090-1	244511	Fixed
node	p10	13.6.0-alt2	16.19.1-alt1	ALT-PU-2020-1090-1	244511	Fixed
node	p9	14.15.1-alt1	14.17.2-alt1	ALT-PU-2020-3423-1	261957	Fixed
node	c10f1	13.6.0-alt2	16.19.1-alt1	ALT-PU-2020-1090-1	244511	Fixed
node	c9f2	16.17.1-alt0.c9.1	16.19.1-alt0.c9.1	ALT-PU-2022-3073-1	303505	Fixed
openssl1.1	sisyphus	1.1.1j-alt1	1.1.1w-alt1	ALT-PU-2021-1473-1	267718	Fixed
openssl1.1	p10	1.1.1j-alt1	1.1.1w-alt0.p10.1	ALT-PU-2021-1473-1	267718	Fixed
openssl1.1	p9	1.1.1j-alt1	1.1.1u-alt1	ALT-PU-2021-1507-1	267719	Fixed
openssl1.1	c10f1	1.1.1j-alt1	1.1.1w-alt0.p10.1	ALT-PU-2021-1473-1	267718	Fixed
openssl1.1	c9f2	1.1.1j-alt1	1.1.1w-alt0.p9.1	ALT-PU-2021-1494-1	267720	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://www.openssl.org/news/secadv/20210216.txt	Vendor Advisory
DSA-4855	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210219-0009/	Third Party Advisory
https://www.tenable.com/security/tns-2021-03	Third Party Advisory
GLSA-202103-03	Third Party Advisory
https://www.tenable.com/security/tns-2021-09	Third Party Advisory
https://www.tenable.com/security/tns-2021-10	Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846	Third Party Advisory
N/A	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10366	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8
[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

Affected configurations:
1. Configuration 1
  cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
  Start including
  1.0.2
  End excliding
  1.0.2y
  cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
  Start including
  1.1.1
  End excliding
  1.1.1j
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:*
  cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:*
  cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:*
  cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:*
  cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:*
  cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:*
  End excliding
  6.0.8
  
  Configuration 4
  cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
  Start including
  8.0.15
  End excliding
  8.0.23
  cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
  End excliding
  5.7.33
  cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
  End excliding
  20.3
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
  End excliding
  9.2.6.0
  cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
  
  Configuration 5
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*
  End excliding
  5.10.0
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*
  cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*
  
  Configuration 6
  cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*
  
  Configuration 7
  cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*
  
  Configuration 8
  cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*
  
  Configuration 9
  cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*
  
  Configuration 10
  cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*
  
  Configuration 11
  cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*
  
  Configuration 12
  cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*
  
  Configuration 13
  cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*
  
  Configuration 14
  cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*
  
  Configuration 15
  cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*
  
  Configuration 16
  cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*
  
  Configuration 17
  cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*
  
  Configuration 18
  cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Start including
  15.0.0
  End excliding
  15.10.0
  cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Start including
  14.0.0
  End including
  14.14.0
  cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Start including
  10.0.0
  End including
  10.12.0
  cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Start including
  12.0.0
  End including
  12.12.0
  cpe:2.3:a:nodejs:node.js:14.15.0:*:*:*:lts:*:*:*
  cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Start including
  12.13.0
  End excliding
  12.21.0
  cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Start including
  10.13.0
  End excliding
  10.24.0

Version: v24.5.1

Vulnerability CVE-2021-23840: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6

Configuration 7

Configuration 8

Configuration 9

Configuration 10

Configuration 11

Configuration 12

Configuration 13

Configuration 14

Configuration 15

Configuration 16

Configuration 17

Configuration 18