CVE-2021-23841: Null pointer deref in X509_issuer_and_serial_hash()
Published Feb 16, 2021
·Updated
Last updated 24 July 2024
Credit
Tavis Ormandy(Google)
Affected Software
73 affected componentsFixes available
redhat/jbcs-httpd24-apr<0:1.6.3-107.el8
0:1.6.3-107.el8
redhat/jbcs-httpd24-apr-util<0:1.6.1-84.el8
0:1.6.1-84.el8
redhat/jbcs-httpd24-curl<0:7.78.0-2.el8
0:7.78.0-2.el8
redhat/jbcs-httpd24-httpd<0:2.4.37-78.el8
0:2.4.37-78.el8
redhat/jbcs-httpd24-nghttp2<0:1.39.2-39.el8
0:1.39.2-39.el8
redhat/jbcs-httpd24-openssl<1:1.1.1g-8.el8
1:1.1.1g-8.el8
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-7.el8
0:1.0.0-7.el8
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-22.el8
0:0.4.10-22.el8
redhat/jbcs-httpd24-apr<0:1.6.3-107.jbcs.el7
0:1.6.3-107.jbcs.el7
redhat/jbcs-httpd24-apr-util<0:1.6.1-84.jbcs.el7
0:1.6.1-84.jbcs.el7
redhat/jbcs-httpd24-curl<0:7.78.0-2.jbcs.el7
0:7.78.0-2.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.37-78.jbcs.el7
0:2.4.37-78.jbcs.el7
redhat/jbcs-httpd24-nghttp2<0:1.39.2-39.jbcs.el7
0:1.39.2-39.jbcs.el7
redhat/jbcs-httpd24-openssl<1:1.1.1g-8.jbcs.el7
1:1.1.1g-8.jbcs.el7
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-7.jbcs.el7
0:1.0.0-7.jbcs.el7
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-22.jbcs.el7
0:0.4.10-22.jbcs.el7
redhat/openssl<1:1.0.2k-22.el7_9
1:1.0.2k-22.el7_9
redhat/edk2<0:20210527gite1999b264f1f-3.el8
0:20210527gite1999b264f1f-3.el8
redhat/openssl<1:1.1.1k-4.el8
1:1.1.1k-4.el8
redhat/jws5-tomcat<0:9.0.50-3.redhat_00004.1.el7
0:9.0.50-3.redhat_00004.1.el7
redhat/jws5-tomcat-native<0:1.2.30-3.redhat_3.el7
0:1.2.30-3.redhat_3.el7
redhat/jws5-tomcat-vault<0:1.1.8-4.Final_redhat_00004.1.el7
0:1.1.8-4.Final_redhat_00004.1.el7
redhat/jws5-tomcat<0:9.0.50-3.redhat_00004.1.el8
0:9.0.50-3.redhat_00004.1.el8
redhat/jws5-tomcat-native<0:1.2.30-3.redhat_3.el8
0:1.2.30-3.redhat_3.el8
redhat/jws5-tomcat-vault<0:1.1.8-4.Final_redhat_00004.1.el8
0:1.1.8-4.Final_redhat_00004.1.el8
Apple macOS Big Sur<11.4
11.4
IBM Security Verify Bridge<=All
Apple Safari<14.1.1
14.1.1
Apple iOS<14.6
14.6
Apple iPadOS<14.6
14.6
OpenSSL OpenSSL>=1.0.2<1.0.2y
OpenSSL OpenSSL>=1.1.1<1.1.1j
Debian Debian Linux=10.0
Tenable Nessus Network Monitor=5.11.0
Tenable Nessus Network Monitor=5.11.1
Tenable Nessus Network Monitor=5.12.0
Tenable Nessus Network Monitor=5.12.1
Tenable Nessus Network Monitor=5.13.0
Tenable Tenable.Sc>=5.13.0<=5.17.0
Apple Safari<14.1.1
Apple iPadOS<14.6
Apple iPhone OS<14.6
Apple macOS>=11.1<11.4
NetApp OnCommand Insight
NetApp OnCommand Workflow Automation
NetApp Snapcenter
Oracle Business Intelligence=5.5.0.0.0
Oracle Business Intelligence=5.9.0.0.0
Oracle Business Intelligence=12.2.1.3.0
Oracle Business Intelligence=12.2.1.4.0
Oracle Communications Cloud Native Core Policy=1.15.0
Oracle Enterprise Manager For Storage Management=13.4.0.0
Oracle Enterprise Manager Ops Center=12.4.0.0
Oracle Essbase=21.2
Oracle GraalVM=19.3.5
Oracle GraalVM=20.3.1.2
Oracle GraalVM=21.0.0.2
Oracle Jd Edwards World Security=a9.4
Oracle MySQL Enterprise Monitor<8.0.23
Oracle MySQL Server<5.7.33
Oracle MySQL Server>=8.0.15<8.0.23
Oracle PeopleSoft Enterprise PeopleTools=8.57
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
Oracle ZFS Storage Appliance Kit=8.8
Siemens Sinec Ins<1.0
Siemens Sinec Ins=1.0
Siemens Sinec Ins=1.0-sp1
redhat/openssl<1.1.1
1.1.1
redhat/openssl<1.0.2
1.0.2
debian/openssl
1.1.1w-0+deb11u11.1.1w-0+deb11u23.0.15-1~deb12u13.0.14-1~deb12u23.5.0-1
Microsoft azl3 shim-unsigned-aarch64 15.8-5
Microsoft azl3 shim-unsigned-x64 15.8-5
Remediation
Patch Available
Patch Available
Patch Available
Patch Available
Information
As per upstream "The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources."
Event History
Feb 16, 2021
CVE Published
12:00 AM
CVE Published
via MITRE·04:55 PM
Data Sourced
via MITRE·04:55 PM
DescriptionWeakness
Feb 18, 2021
Data Sourced
via Red Hat·04:49 PM
DescriptionSeverityAffected Software
Sep 18, 2024
Data Sourced
via Ubuntu·03:19 AM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Launchpad·03:21 AM
Description
Sep 3, 2025
Data Sourced
via Microsoft·10:33 PM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·10:33 PM
Affected Software
Updated
via Microsoft·10:33 PM
Affected Software
Updated
via Microsoft·10:33 PM
DescriptionSeverity
Frequently Asked Questions
1
What is CVE-2021-23841?
CVE-2021-23841 is a vulnerability that involves a null pointer dereference in the OpenSSL public API function X509_issuer_and_serial_hash().
2
What is the severity of CVE-2021-23841?
The severity of CVE-2021-23841 is medium with a CVSS score of 5.9.
3
How does CVE-2021-23841 affect Safari?
CVE-2021-23841 may affect Safari users, but it is recommended to refer to Apple's support page for specific information and remedies.
4
How do I fix CVE-2021-23841 on Red Hat products?
To fix CVE-2021-23841 on Red Hat products, update the affected packages to the specified versions provided by Red Hat.
5
What are the references for CVE-2021-23841?
The references for CVE-2021-23841 can be found at the following URLs: 1. [Apple Support - HT212529](https://support.apple.com/en-us/HT212529) 2. [Apple Support - HT212534](https://support.apple.com/en-us/HT212534) 3. [Apple Support - HT212528](https://support.apple.com/en-us/HT212528)