Your submission was sent successfully! Close

CVE-2021-23840

Published: 16 February 2021

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
bionic Needed

focal
Released (0~20191122.bd85bf54-2ubuntu3.3)
groovy Ignored
(reached end-of-life)
hirsute
Released (2020.11-4ubuntu0.1)
impish Not vulnerable
(2021.08~rc0-2)
jammy Not vulnerable
(2021.08~rc0-2)
precise Does not exist

trusty Does not exist

upstream Not vulnerable

xenial Ignored
(out of standard support)
nodejs
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system openssl1.0)
focal Not vulnerable
(uses system openssl1.1)
groovy Not vulnerable
(uses system openssl1.1)
hirsute Not vulnerable
(uses system openssl1.1)
impish Not vulnerable
(uses system openssl1.1)
jammy Not vulnerable
(uses system openssl1.1)
precise Does not exist

trusty Not vulnerable
(uses system openssl)
upstream Needs triage

xenial Not vulnerable
(uses system openssl)
openssl
Launchpad, Ubuntu, Debian
bionic
Released (1.1.1-1ubuntu2.1~18.04.8)
focal
Released (1.1.1f-1ubuntu2.2)
groovy
Released (1.1.1f-1ubuntu4.2)
hirsute
Released (1.1.1j-1ubuntu1)
impish
Released (1.1.1j-1ubuntu1)
jammy
Released (1.1.1j-1ubuntu1)
precise Ignored
(end of ESM support, was needs-triage)
trusty Needs triage

upstream
Released (1.1.1j)
xenial
Released (1.0.2g-1ubuntu4.19)
openssl1.0
Launchpad, Ubuntu, Debian
bionic
Released (1.0.2n-1ubuntu5.6)
focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (1.0.2y)
xenial Does not exist

Notes

AuthorNote
mdeslaur
edk2 doesn't use EVP_CipherUpdate, EVP_EncryptUpdate, or
EVP_DecryptUpdate, so it doesn't appear vulnerable to this issue
edk2 upstream says EVP_DecryptUpdate is used by drivers

References

Bugs