CVE-2021-23840

EPSS 0.57%
Published 16.02.2021 17:15:13
Last modified 21.11.2024 05:51:55
Source openssl-security@openssl.org
Teams watchlist Login
Open Login

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Affected products Warnungen 0 Metrics 3 CWE 1 References 23

Data is provided by the National Vulnerability Database (NVD)

OpenSSL ≫ OpenSSL Version >= 1.0.2 < 1.0.2y

OpenSSL ≫ OpenSSL Version >= 1.1.1 < 1.1.1j

Debian ≫ Debian Linux Version10.0

Tenable ≫ Log Correlation Engine Version < 6.0.8

Tenable ≫ Nessus Network Monitor Version5.11.0

Tenable ≫ Nessus Network Monitor Version5.11.1

Tenable ≫ Nessus Network Monitor Version5.12.0

Tenable ≫ Nessus Network Monitor Version5.12.1

Tenable ≫ Nessus Network Monitor Version5.13.0

Oracle ≫ Business Intelligence Version5.5.0.0.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version5.9.0.0.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.3.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.4.0 SwEditionenterprise

Oracle ≫ Communications Cloud Native Core Policy Version1.15.0

Oracle ≫ Enterprise Manager For Storage Management Version13.4.0.0

Oracle ≫ Enterprise Manager Ops Center Version12.4.0.0

Oracle ≫ Graalvm Version19.3.5 SwEditionenterprise

Oracle ≫ Graalvm Version20.3.1.2 SwEditionenterprise

Oracle ≫ Graalvm Version21.0.0.2 SwEditionenterprise

Oracle ≫ Jd Edwards Enterpriseone Tools Version < 9.2.6.0

Oracle ≫ Jd Edwards World Security Versiona9.4

Oracle ≫ Mysql Server Version < 5.7.33

Oracle ≫ Mysql Server Version >= 8.0.15 < 8.0.23

Oracle ≫ Nosql Database Version < 20.3

Mcafee ≫ Epolicy Orchestrator Version < 5.10.0

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Update-

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_1

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_10

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_2

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_3

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_4

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_5

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_6

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_7

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_8

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_9

Fujitsu ≫ M10-1 Firmware Version < xcp2410

Fujitsu ≫ M10-1 Version-

Fujitsu ≫ M10-4 Firmware Version < xcp2410

Fujitsu ≫ M10-4 Version-

Fujitsu ≫ M10-4s Firmware Version < xcp2410

Fujitsu ≫ M10-4s Version-

Fujitsu ≫ M12-1 Firmware Version < xcp2410

Fujitsu ≫ M12-1 Version-

Fujitsu ≫ M12-2 Firmware Version < xcp2410

Fujitsu ≫ M12-2 Version-

Fujitsu ≫ M12-2s Firmware Version < xcp2410

Fujitsu ≫ M12-2s Version-

Fujitsu ≫ M10-1 Firmware Version < xcp3110

Fujitsu ≫ M10-1 Version-

Fujitsu ≫ M10-4 Firmware Version < xcp3110

Fujitsu ≫ M10-4 Version-

Fujitsu ≫ M10-4s Firmware Version < xcp3110

Fujitsu ≫ M10-4s Version-

Fujitsu ≫ M12-1 Firmware Version < xcp3110

Fujitsu ≫ M12-1 Version-

Fujitsu ≫ M12-2 Firmware Version < xcp3110

Fujitsu ≫ M12-2 Version-

Fujitsu ≫ M12-2s Firmware Version < xcp3110

Fujitsu ≫ M12-2s Version-

Nodejs ≫ Node.Js SwEdition- Version >= 10.0.0 <= 10.12.0

Nodejs ≫ Node.Js SwEditionlts Version >= 10.13.0 < 10.24.0

Nodejs ≫ Node.Js SwEdition- Version >= 12.0.0 <= 12.12.0

Nodejs ≫ Node.Js SwEditionlts Version >= 12.13.0 < 12.21.0

Nodejs ≫ Node.Js SwEdition- Version >= 14.0.0 <= 14.14.0

Nodejs ≫ Node.Js SwEdition- Version >= 15.0.0 < 15.10.0

Nodejs ≫ Node.Js Version14.15.0 SwEditionlts

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.57%	0.676

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory