Уязвимость CVE-2021-22897: Информация

Описание

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Важность: MEDIUM (5,3) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-22897
Опубликовано: 11 июня 2021 г.
Изменено: 27 марта 2024 г.
Идентификатор типа ошибки: CWE-668

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
MySQLsisyphus8.0.26-alt18.0.36-alt1ALT-PU-2021-2461-1281108Исправлено
MySQLsisyphus_riscv648.0.27-alt1.0.rv648.0.30-alt0.2.rv64ALT-PU-2021-4503-1-Исправлено
MySQLp108.0.26-alt18.0.36-alt1ALT-PU-2021-2477-1282098Исправлено
MySQLp98.0.26-alt18.0.26-alt2ALT-PU-2021-2571-1282101Исправлено
MySQLc10f18.0.26-alt18.0.36-alt1ALT-PU-2021-2477-1282098Исправлено
MySQLc9f28.0.26-alt28.0.36-alt0.c9.1ALT-PU-2021-3668-1291746Исправлено
curlsisyphus7.77.0-alt18.7.1-alt2ALT-PU-2021-1865-1272616Исправлено
curlp107.77.0-alt18.7.1-alt2ALT-PU-2021-1865-1272616Исправлено
curlp97.77.0-alt17.79.0-alt2ALT-PU-2021-1911-1272617Исправлено
curlc10f17.77.0-alt18.6.0-alt1ALT-PU-2021-1865-1272616Исправлено
curlc9f27.77.0-alt18.6.0-alt1ALT-PU-2021-2146-1276672Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://curl.se/docs/CVE-2021-22897.html
  • Patch
  • Vendor Advisory
https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511
  • Patch
  • Third Party Advisory
https://hackerone.com/reports/1172857
  • Exploit
  • Issue Tracking
  • Third Party Advisory
N/A
  • Patch
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20210727-0007/
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
  • Patch
  • Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
  • Patch
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
  • Patch
  • Third Party Advisory

    1. Конфигурация 1

      cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
      Start including
      7.61.0
      End including
      7.76.1

      Конфигурация 2

      cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
      Start including
      8.0.0
      End including
      8.0.25
      cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
      Start including
      21.0
      End excliding
      21.3
      cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
      End excliding
      11.1.2.4.047
      cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
      End including
      5.7.34
      cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*

      Конфигурация 3

      cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
      cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
      cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
      cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*

      Конфигурация 4

      cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

      Конфигурация 5

      cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

      Конфигурация 6

      cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

      Конфигурация 7

      cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

      Конфигурация 8

      cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

      Конфигурация 9

      cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

      Конфигурация 10

      cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

      Конфигурация 11

      cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

      Конфигурация 12

      cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
      End excliding
      1.0.1.1

      Конфигурация 13

      cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
      cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
      Start including
      9.0.0
      End excliding
      9.0.6
      cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
      Start including
      8.2.0
      End excliding
      8.2.12
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Версия: v24.5.0
Наверх