CVE-2021-23840

Published: 16 February 2021

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

nodejs
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system openssl1.1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system openssl1.1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system openssl1.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system openssl1.0)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system openssl)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(uses system openssl)
openssl
Launchpad, Ubuntu, Debian
Upstream
Released (1.1.1j)
Ubuntu 21.04 (Hirsute Hippo) Pending
(1.1.1j-1ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (1.1.1f-1ubuntu4.2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.1.1f-1ubuntu2.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.1.1-1ubuntu2.1~18.04.8)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.0.2g-1ubuntu4.19)
Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
openssl1.0
Launchpad, Ubuntu, Debian
Upstream
Released (1.0.2y)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.0.2n-1ubuntu5.6)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist