Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1930310 (CVE-2021-23841)
Summary: | CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, asoldano, atangrin, bbaranow, berrange, bmaxwell, brian.stansberry, cdewolf, cfergeau, chazlett, crypto-team, csutherl, darran.lofthouse, dkreling, dosoudil, eleandro, elima, erik-fedora, fidencio, gghezzo, gparvin, gwync, gzaronik, hmatsumo, iweiss, jclere, jimhart, jochrist, jperkins, jramanat, jweiser, jwon, kaycoth, krathod, kraxel, ktietz, kwills, lersek, lgao, marcandre.lureau, msochure, msvehla, mturk, nwallace, pbonzini, philmd, pjindal, pmackay, redhat-bugzilla, rguimara, rh-spice-bugs, rjones, rstancel, rsvoboda, sahana, smaestri, stcannon, szappis, thee, tm, tom.jenkinson, virt-maint, yborgess, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 1.1.1j, openssl 1.0.2y | Doc Type: | If docs needed, set a value |
Doc Text: |
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-13 06:39:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1935195, 1935199, 1935201, 1935202, 1930311, 1930312, 1930313, 1930315, 1932125, 1932126, 1932127, 1935193, 1935194, 1935196, 1935197, 1935198, 1935205, 1936457, 1936581, 1940072, 1940073 | ||
Bug Blocks: |
Description
Guilherme de Almeida Suckevicz
2021-02-18 16:49:31 UTC
Created compat-openssl10 tracking bugs for this issue: Affects: fedora-all [bug 1930313] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1930312] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1930311] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 1930315] Mitigation: As per upstream "The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources." Statement: This is a a null pointer dereference in the X509_issuer_and_serial_hash() function, which can result in crash if called by an application compiled with OpenSSL, by passing a specially-crafted certificate. OpenSSL internally does not use this function. External References: https://www.openssl.org/news/secadv/20210216.txt Upstream commit: https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0 Upstream test for reproducing this at: https://github.com/openssl/openssl/commit/55869f594f052561b11a2db6a7c42690051868de This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23841 I see this is closed, but RHEL7 still shows as affected here: https://access.redhat.com/security/cve/cve-2021-23840 Can you please update it? Thanks -jim This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3798 https://access.redhat.com/errata/RHSA-2021:3798 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4198 https://access.redhat.com/errata/RHSA-2021:4198 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4424 https://access.redhat.com/errata/RHSA-2021:4424 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2021:4613 https://access.redhat.com/errata/RHSA-2021:4613 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:4614 https://access.redhat.com/errata/RHSA-2021:4614 |