Your submission was sent successfully! Close

CVE-2021-3618

Published: 23 March 2022

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

Priority

Low

CVSS 3 base score: 7.4

Status

Package Release Status
nginx
Launchpad, Ubuntu, Debian
bionic
Released (1.14.0-0ubuntu1.10)
focal
Released (1.18.0-0ubuntu1.3)
hirsute Ignored
(reached end-of-life)
impish
Released (1.18.0-6ubuntu11.1)
jammy
Released (1.18.0-6ubuntu14.1)
trusty Needed

upstream
Released (1.21.0)
xenial
Released (1.10.3-0ubuntu0.16.04.5+esm3)
Patches:
upstream: http://hg.nginx.org/nginx/rev/ec1071830799
sendmail
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

hirsute Ignored
(reached end-of-life)
impish Needed

jammy Needed

trusty Needed

upstream
Released (8.16.1-1)
xenial Ignored
(out of standard support)
vsftpd
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

hirsute Ignored
(reached end-of-life)
impish Needed

jammy Not vulnerable
(3.0.5-0ubuntu1)
trusty Needed

upstream
Released (3.0.4)
xenial Needed