Your submission was sent successfully! Close

CVE-2021-3711

Published: 24 August 2021

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

Priority

High

CVSS 3 base score: 9.8

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not compiled)
focal Not vulnerable
(code not compiled)
hirsute Not vulnerable
(code not compiled)
impish Not vulnerable
(code not compiled)
jammy Not vulnerable
(code not compiled)
trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not compiled)
nodejs
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system openssl1.0)
focal Not vulnerable
(uses system openssl1.1)
hirsute Not vulnerable
(uses system openssl1.1)
impish Not vulnerable
(uses system openssl1.1)
jammy Not vulnerable
(uses system openssl1.1)
trusty Not vulnerable
(uses system openssl)
upstream Needs triage

xenial Not vulnerable
(uses system openssl)
openssl
Launchpad, Ubuntu, Debian
bionic
Released (1.1.1-1ubuntu2.1~18.04.13)
focal
Released (1.1.1f-1ubuntu2.8)
hirsute
Released (1.1.1j-1ubuntu3.5)
impish
Released (1.1.1l-1ubuntu1)
jammy
Released (1.1.1l-1ubuntu1)
trusty Not vulnerable

upstream
Released (1.1.1l)
xenial Not vulnerable

openssl1.0
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist