Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1995634 (CVE-2021-3712)
Summary: | CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Cedric Buissart <cbuissar> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aarif, adibrahi, avroy, bdettelb, caswilli, cfergeau, crypto-team, csutherl, dbelyavs, erik-fedora, fidencio, fjansen, gghezzo, gparvin, gzaronik, jclere, jnakfour, jramanat, jwon, kaycoth, krathod, ktietz, lilhuang, marcandre.lureau, mturk, pjindal, psegedy, redhat-bugzilla, rh-spice-bugs, rjones, sahana, security-response-team, stcannon, surpatil, szappis, tm, tomckay, vmugicag, voetelink, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 1.1.1l | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-11 18:57:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1996053, 1996054, 1996185, 1996186, 1997219, 1997220, 1997221, 1997223, 1997297, 1997298, 1997299, 1997300, 1997301, 1997473, 2005400, 2005401, 2005402 | ||
Bug Blocks: |
Description
Cedric Buissart
2021-08-19 14:14:16 UTC
Description of the flaw: It was found that several functions internal to openssl were assuming thata given string would be NUL ('\0') terminated. However, it may happen that a given application using openssl libraries is tricked by an attacker into calling these functions with specially crafted, non-NUL terminated strings. This would result in these functions reading past the string's allocated buffer, into the application memory (until a NUL byte is read). This may result in the crash of the application, or, if the attacker is able to retrieve the content read, disclosure of the application's memory. The affected functions are X.509 certificate related, and likely used for logging purpose. The memory disclosure is thus likely to be local only (not sent back to a remote attacker). Upstream fixes, for the 1.1.1 branch : https://github.com/openssl/openssl/commit/94d23fcff9b2a7a8368dfe52214d5c2569882c11 https://github.com/openssl/openssl/commit/2d0e5d4a4a5d4332325b5e5cea492fad2be633e1 https://github.com/openssl/openssl/commit/bb4d2ed4091408404e18b3326e3df67848ef63d0 https://github.com/openssl/openssl/commit/4de66925203ca99189c842136ec4a623137ea447 https://github.com/openssl/openssl/commit/8393de42498f8be75cf0353f5c9f906a43a748d2 https://github.com/openssl/openssl/commit/23446958685a593d4d9434475734b99138902ed2 https://github.com/openssl/openssl/commit/5f54e57406ca17731b9ade3afd561d3c652e07f2 https://github.com/openssl/openssl/commit/d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1997221] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1997219] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 1997220] This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2021:4613 https://access.redhat.com/errata/RHSA-2021:4613 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:4614 https://access.redhat.com/errata/RHSA-2021:4614 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3712 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5226 https://access.redhat.com/errata/RHSA-2021:5226 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0064 https://access.redhat.com/errata/RHSA-2022:0064 There seems to be a bug in the fix for RHEL7 which crashes Apache or nginx. See bugzilla id 2039993 |