Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2021-3711

Published: 24 August 2021

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

Priority

High

Cvss 3 Severity Score

9.8

Score breakdown

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
jammy Not vulnerable
(code not compiled)
bionic Not vulnerable
(code not compiled)
trusty Does not exist

xenial Not vulnerable
(code not compiled)
focal Not vulnerable
(code not compiled)
hirsute Not vulnerable
(code not compiled)
upstream Needs triage

impish Not vulnerable
(code not compiled)
kinetic Not vulnerable
(code not compiled)
lunar Not vulnerable
(code not compiled)
mantic Not vulnerable
(code not compiled)
nodejs
Launchpad, Ubuntu, Debian
jammy Not vulnerable
(uses system openssl1.1)
xenial Not vulnerable
(uses system openssl)
bionic Not vulnerable
(uses system openssl1.0)
focal Not vulnerable
(uses system openssl1.1)
trusty Not vulnerable
(uses system openssl)
hirsute Not vulnerable
(uses system openssl1.1)
upstream Needs triage

impish Not vulnerable
(uses system openssl1.1)
kinetic Not vulnerable
(uses system openssl1.1)
lunar Not vulnerable
(uses system openssl1.1)
mantic Not vulnerable
(uses system openssl1.1)
openssl
Launchpad, Ubuntu, Debian
focal
Released (1.1.1f-1ubuntu2.8)
jammy
Released (1.1.1l-1ubuntu1)
trusty Not vulnerable

xenial Not vulnerable

upstream
Released (1.1.1l)
bionic
Released (1.1.1-1ubuntu2.1~18.04.13)
hirsute
Released (1.1.1j-1ubuntu3.5)
impish
Released (1.1.1l-1ubuntu1)
kinetic
Released (1.1.1l-1ubuntu1)
lunar
Released (1.1.1l-1ubuntu1)
mantic
Released (1.1.1l-1ubuntu1)
openssl1.0
Launchpad, Ubuntu, Debian
hirsute Does not exist

jammy Does not exist

trusty Does not exist

upstream Needs triage

bionic Not vulnerable

focal Does not exist

xenial Does not exist

impish Does not exist

kinetic Does not exist

lunar Does not exist

mantic Does not exist

Severity score breakdown

Parameter Value
Base score 9.8
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H