Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1930310 (CVE-2021-23841)

Summary: CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash()
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, asoldano, atangrin, bbaranow, berrange, bmaxwell, brian.stansberry, cdewolf, cfergeau, chazlett, crypto-team, csutherl, darran.lofthouse, dkreling, dosoudil, eleandro, elima, erik-fedora, fidencio, gghezzo, gparvin, gwync, gzaronik, hmatsumo, iweiss, jclere, jimhart, jochrist, jperkins, jramanat, jweiser, jwon, kaycoth, krathod, kraxel, ktietz, kwills, lersek, lgao, marcandre.lureau, msochure, msvehla, mturk, nwallace, pbonzini, philmd, pjindal, pmackay, redhat-bugzilla, rguimara, rh-spice-bugs, rjones, rstancel, rsvoboda, sahana, smaestri, stcannon, szappis, thee, tm, tom.jenkinson, virt-maint, yborgess, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.1.1j, openssl 1.0.2y Doc Type: If docs needed, set a value
Doc Text:
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-13 06:39:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935195, 1935199, 1935201, 1935202, 1930311, 1930312, 1930313, 1930315, 1932125, 1932126, 1932127, 1935193, 1935194, 1935196, 1935197, 1935198, 1935205, 1936457, 1936581, 1940072, 1940073    
Bug Blocks:    

Description Guilherme de Almeida Suckevicz 2021-02-18 16:49:31 UTC
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Reference:
https://www.openssl.org/news/secadv/20210216.txt

Comment 1 Guilherme de Almeida Suckevicz 2021-02-18 16:50:17 UTC
Created compat-openssl10 tracking bugs for this issue:

Affects: fedora-all [bug 1930313]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1930312]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1930311]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 1930315]

Comment 4 Huzaifa S. Sidhpurwala 2021-02-24 03:11:50 UTC
Mitigation:

As per upstream "The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources."

Comment 6 Huzaifa S. Sidhpurwala 2021-02-24 03:25:06 UTC
Statement:

This is a a null pointer dereference in the X509_issuer_and_serial_hash()  function, which can result in crash if called by an application compiled with OpenSSL, by passing a specially-crafted certificate. OpenSSL internally does not use this function.

Comment 7 Huzaifa S. Sidhpurwala 2021-02-24 03:25:11 UTC
External References:

https://www.openssl.org/news/secadv/20210216.txt

Comment 17 Ted Jongseok Won 2021-03-23 01:41:39 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Application Platform 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 18 errata-xmlrpc 2021-04-13 00:09:38 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168

Comment 19 Product Security DevOps Team 2021-04-13 06:39:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23841

Comment 20 Jim Hart 2021-06-28 18:55:30 UTC
I see this is closed, but RHEL7 still shows as affected here:  https://access.redhat.com/security/cve/cve-2021-23840
Can you please update it?  Thanks -jim

Comment 21 errata-xmlrpc 2021-08-06 00:50:19 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016

Comment 24 errata-xmlrpc 2021-10-12 15:28:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3798 https://access.redhat.com/errata/RHSA-2021:3798

Comment 25 errata-xmlrpc 2021-11-09 17:42:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4198 https://access.redhat.com/errata/RHSA-2021:4198

Comment 26 errata-xmlrpc 2021-11-09 18:44:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4424 https://access.redhat.com/errata/RHSA-2021:4424

Comment 27 errata-xmlrpc 2021-11-10 17:14:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2021:4613 https://access.redhat.com/errata/RHSA-2021:4613

Comment 28 errata-xmlrpc 2021-11-10 17:18:15 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:4614 https://access.redhat.com/errata/RHSA-2021:4614