CVE-2021-23840: Integer overflow in CipherUpdate
Published Feb 16, 2021
·Updated
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Affected Software
114 affected componentsFixes available
redhat/jbcs-httpd24-apr<0:1.6.3-107.el8
0:1.6.3-107.el8
redhat/jbcs-httpd24-apr-util<0:1.6.1-84.el8
0:1.6.1-84.el8
redhat/jbcs-httpd24-curl<0:7.78.0-2.el8
0:7.78.0-2.el8
redhat/jbcs-httpd24-httpd<0:2.4.37-78.el8
0:2.4.37-78.el8
redhat/jbcs-httpd24-nghttp2<0:1.39.2-39.el8
0:1.39.2-39.el8
redhat/jbcs-httpd24-openssl<1:1.1.1g-8.el8
1:1.1.1g-8.el8
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-7.el8
0:1.0.0-7.el8
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-22.el8
0:0.4.10-22.el8
redhat/jbcs-httpd24-apr<0:1.6.3-107.jbcs.el7
0:1.6.3-107.jbcs.el7
redhat/jbcs-httpd24-apr-util<0:1.6.1-84.jbcs.el7
0:1.6.1-84.jbcs.el7
redhat/jbcs-httpd24-curl<0:7.78.0-2.jbcs.el7
0:7.78.0-2.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.37-78.jbcs.el7
0:2.4.37-78.jbcs.el7
redhat/jbcs-httpd24-nghttp2<0:1.39.2-39.jbcs.el7
0:1.39.2-39.jbcs.el7
redhat/jbcs-httpd24-openssl<1:1.1.1g-8.jbcs.el7
1:1.1.1g-8.jbcs.el7
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-7.jbcs.el7
0:1.0.0-7.jbcs.el7
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-22.jbcs.el7
0:0.4.10-22.jbcs.el7
redhat/openssl<1:1.0.2k-22.el7_9
1:1.0.2k-22.el7_9
redhat/edk2<0:20210527gite1999b264f1f-3.el8
0:20210527gite1999b264f1f-3.el8
redhat/openssl<1:1.1.1k-4.el8
1:1.1.1k-4.el8
redhat/jws5-tomcat<0:9.0.50-3.redhat_00004.1.el7
0:9.0.50-3.redhat_00004.1.el7
redhat/jws5-tomcat-native<0:1.2.30-3.redhat_3.el7
0:1.2.30-3.redhat_3.el7
redhat/jws5-tomcat-vault<0:1.1.8-4.Final_redhat_00004.1.el7
0:1.1.8-4.Final_redhat_00004.1.el7
redhat/jws5-tomcat<0:9.0.50-3.redhat_00004.1.el8
0:9.0.50-3.redhat_00004.1.el8
redhat/jws5-tomcat-native<0:1.2.30-3.redhat_3.el8
0:1.2.30-3.redhat_3.el8
redhat/jws5-tomcat-vault<0:1.1.8-4.Final_redhat_00004.1.el8
0:1.1.8-4.Final_redhat_00004.1.el8
IBM Security Verify Bridge<=All
redhat/openssl<1.1.1
1.1.1
redhat/openssl<1.0.2
1.0.2
debian/openssl
1.1.1w-0+deb11u11.1.1w-0+deb11u23.0.15-1~deb12u13.0.14-1~deb12u23.5.0-1
OpenSSL OpenSSL>=1.0.2<1.0.2y
OpenSSL OpenSSL>=1.1.1<1.1.1j
Debian Debian Linux=10.0
Tenable Log Correlation Engine<6.0.8
Tenable Nessus Network Monitor=5.11.0
Tenable Nessus Network Monitor=5.11.1
Tenable Nessus Network Monitor=5.12.0
Tenable Nessus Network Monitor=5.12.1
Tenable Nessus Network Monitor=5.13.0
Oracle Business Intelligence=5.5.0.0.0
Oracle Business Intelligence=5.9.0.0.0
Oracle Business Intelligence=12.2.1.3.0
Oracle Business Intelligence=12.2.1.4.0
Oracle Communications Cloud Native Core Policy=1.15.0
Oracle Enterprise Manager For Storage Management=13.4.0.0
Oracle Enterprise Manager Ops Center=12.4.0.0
Oracle GraalVM=19.3.5
Oracle GraalVM=20.3.1.2
Oracle GraalVM=21.0.0.2
Oracle JD Edwards EnterpriseOne Tools<9.2.6.0
Oracle Jd Edwards World Security=a9.4
Oracle MySQL Server<5.7.33
Oracle MySQL Server>=8.0.15<8.0.23
Oracle Nosql Database<20.3
McAfee ePolicy Orchestrator<5.10.0
McAfee ePolicy Orchestrator=5.10.0
McAfee ePolicy Orchestrator=5.10.0-update_1
McAfee ePolicy Orchestrator=5.10.0-update_10
McAfee ePolicy Orchestrator=5.10.0-update_2
McAfee ePolicy Orchestrator=5.10.0-update_3
McAfee ePolicy Orchestrator=5.10.0-update_4
McAfee ePolicy Orchestrator=5.10.0-update_5
McAfee ePolicy Orchestrator=5.10.0-update_6
McAfee ePolicy Orchestrator=5.10.0-update_7
McAfee ePolicy Orchestrator=5.10.0-update_8
McAfee ePolicy Orchestrator=5.10.0-update_9
All of the following
Fujitsu M10-1 Firmware<xcp2410
Fujitsu M10-1
All of the following
Fujitsu M10-4 Firmware<xcp2410
Fujitsu M10-4
All of the following
Fujitsu M10-4s Firmware<xcp2410
Fujitsu M10-4s
All of the following
Fujitsu M12-1 Firmware<xcp2410
Fujitsu M12-1
All of the following
Fujitsu M12-2 Firmware<xcp2410
Fujitsu M12-2
All of the following
Fujitsu M12-2s Firmware<xcp2410
Fujitsu M12-2s
All of the following
Fujitsu M10-1 Firmware<xcp3110
Fujitsu M10-1
All of the following
Fujitsu M10-4 Firmware<xcp3110
Fujitsu M10-4
All of the following
Fujitsu M10-4s Firmware<xcp3110
Fujitsu M10-4s
All of the following
Fujitsu M12-1 Firmware<xcp3110
Fujitsu M12-1
All of the following
Fujitsu M12-2 Firmware<xcp3110
Fujitsu M12-2
All of the following
Fujitsu M12-2s Firmware<xcp3110
Fujitsu M12-2s
Nodejs Node.js>=10.0.0<=10.12.0
Nodejs Node.js>=10.13.0<10.24.0
Nodejs Node.js>=12.0.0<=12.12.0
Nodejs Node.js>=12.13.0<12.21.0
Nodejs Node.js>=14.0.0<=14.14.0
Nodejs Node.js>=15.0.0<15.10.0
Nodejs Node.js=14.15.0
Fujitsu M10-1 Firmware<xcp2410
Fujitsu M10-1
Fujitsu M10-4 Firmware<xcp2410
Fujitsu M10-4
Fujitsu M10-4s Firmware<xcp2410
Fujitsu M10-4s
Fujitsu M12-1 Firmware<xcp2410
Fujitsu M12-1
Fujitsu M12-2 Firmware<xcp2410
Fujitsu M12-2
Fujitsu M12-2s Firmware<xcp2410
Fujitsu M12-2s
Fujitsu M10-1 Firmware<xcp3110
Fujitsu M10-4 Firmware<xcp3110
Fujitsu M10-4s Firmware<xcp3110
Fujitsu M12-1 Firmware<xcp3110
Fujitsu M12-2 Firmware<xcp3110
Fujitsu M12-2s Firmware<xcp3110
Remediation
Patch Available
Patch Available
Patch Available
Patch Available
Patch Available
Event History
Feb 16, 2021
CVE Published
12:00 AM
CVE Published
via MITRE·04:55 PM
Data Sourced
via MITRE·04:55 PM
DescriptionWeakness
Data Sourced
via NVD·05:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Feb 18, 2021
Data Sourced
via Red Hat·04:56 PM
DescriptionSeverityAffected Software
Sep 18, 2024
Data Sourced
via Launchpad·03:19 AM
Description
Sep 22, 2024
Data Sourced
via Ubuntu·03:19 AM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the vulnerability ID for this OpenSSL vulnerability?
The vulnerability ID for this OpenSSL vulnerability is CVE-2021-23840.
2
What is the severity of CVE-2021-23840?
CVE-2021-23840 has a severity level of high.
3
What is the impact of CVE-2021-23840?
CVE-2021-23840 can cause a denial of service (DoS) due to an integer overflow in CipherUpdate.
4
How can I fix CVE-2021-23840?
To fix CVE-2021-23840, update OpenSSL to the recommended version provided by the vendor.
5
Where can I find more information about CVE-2021-23840?
You can find more information about CVE-2021-23840 on the IBM X-Force Exchange website and the OpenSSL website.