CVE-2021-23840

一、漏洞信息
漏洞编号：CVE-2021-23840
漏洞归属组件：hetu-core
漏洞归属的版本：5.1.47
CVSS V3.0分值：
BaseScore：7.5 High
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞简述：
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
漏洞公开时间：2021-02-17 01:15
漏洞创建时间：2022-04-20 08:46:08
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2021-23840

更多参考(点击展开)

参考来源	参考链接	来源链接
CONFIRM	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
CONFIRM	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
CONFIRM	https://www.openssl.org/news/secadv/20210216.txt
DEBIAN	https://www.debian.org/security/2021/dsa-4855
CONFIRM	https://security.netapp.com/advisory/ntap-20210219-0009/
CONFIRM	https://www.tenable.com/security/tns-2021-03
GENTOO	https://security.gentoo.org/glsa/202103-03
CONFIRM	https://www.tenable.com/security/tns-2021-09
CONFIRM	https://www.tenable.com/security/tns-2021-10
MISC	https://www.oracle.com/security-alerts/cpuApr2021.html
MLIST	https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
MLIST	https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
CONFIRM	https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
N/A	https://www.oracle.com//security-alerts/cpujul2021.html
MISC	https://www.oracle.com/security-alerts/cpuoct2021.html
CONFIRM	https://kc.mcafee.com/corporate/index?page=content&id=SB10366
MISC	https://www.oracle.com/security-alerts/cpujan2022.html
CONFIRM	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
MISC	https://www.oracle.com/security-alerts/cpuapr2022.html
redhat	https://access.redhat.com/security/cve/CVE-2021-23840
suse_bugzilla	https://www.openssl.org/news/secadv/20210216.txt
suse_bugzilla	https://build.opensuse.org/request/show/874306
redhat_bugzilla	https://access.redhat.com/security/cve/cve-2021-23840
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840
ubuntu	https://www.openssl.org/news/secadv/20210216.txt
ubuntu	https://ubuntu.com/security/notices/USN-4738-1
ubuntu	https://ubuntu.com/security/notices/USN-5088-1
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2021-23840
ubuntu	https://launchpad.net/bugs/cve/CVE-2021-23840
ubuntu	https://security-tracker.debian.org/tracker/CVE-2021-23840
ubuntu	https://bugzilla.tianocore.org/show_bug.cgi?id=3266
debian	https://security-tracker.debian.org/tracker/CVE-2021-23840
oracle	https://www.oracle.com/security-alerts/linuxbulletinoct2021.html
openssl	https://www.openssl.org/news/secadv/20210216.txt
gentoo	https://security.gentoo.org/glsa/202103-03
MISC	https://www.oracle.com/security-alerts/cpuapr2022.html
MISC	https://www.oracle.com/security-alerts/cpujan2022.html
CONFIRM	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

漏洞分析指导链接：
https://gitee.com/openlookeng/community/blob/master/security/cve/doc/md/manual.md
漏洞数据来源:
其它
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	来源
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2	CONFIRM
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1	CONFIRM
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1	nvd
		https://www.oracle.com/security-alerts/cpuApr2021.html	nvd
		https://www.oracle.com//security-alerts/cpujul2021.html	nvd
		https://www.oracle.com/security-alerts/cpuoct2021.html	nvd
openssl	1.1.1j	https://github.com/openssl/openssl/commit/6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1	openssl
openssl	1.0.2y	https://github.com/openssl/openssl/commit/6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1	openssl
openssl	1.1.1j	https://github.com/openssl/openssl/commit/9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2	openssl
openssl	1.0.2y	https://github.com/openssl/openssl/commit/9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2	openssl

二、漏洞分析结构反馈
影响性分析说明：

openLooKeng评分：
7.5
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响)：
1.1.6.0:
2.master:
3.1.6.1:
4.openEuler-22.03-LTS-SP1:

@tushengxia
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openLooKeng评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

openLooKeng评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.1.6.0:
2.master:

issue处理具体操作请参考:
https://gitee.com/openlookeng/community/blob/master/security/cve/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

@i-robot , Please select a milestone for the issue. Then, you can use the /check-milestone command to remove the needs-milestone label.

openLooKeng / hetu-core

内容风险标识

评论 (2)

openLooKeng / hetu-core .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2021-23840

评论 (2)

搜索帮助

openLooKeng / hetu-core