CVE-2021-23840

Description

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

How to fix CVE-2021-23840

To remediate CVE-2021-23840, upgrade the affected package to a fixed version below.

—upgrade to 1.1.1j-r0 or later
—upgrade to 1.1.1j-r0 or later
—upgrade to 10.12.1 or later
—upgrade to 10.12.1 or later
—upgrade to 111.14.0 or later
—upgrade to 111.14.0 or later
—upgrade to 1.1.0l-1~deb9u3 or later
—upgrade to 1.1.1j-1 or later
—upgrade to 1.0.2u-1~deb9u4 or later

Is CVE-2021-23840 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (9)

from 0, < 1.1.1j-r0
from 0, < 1.1.1j-r0
>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.21.0, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.15.1, >= 15.0.0, < 15.10.0
>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.21.0, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.15.1, >= 15.0.0, < 15.10.0
from 0, < 111.14.0
>= 0.0.0-0, < 111.14.0
from 0, < 1.1.0l-1~deb9u3
from 0, < 1.1.1j-1
from 0, < 1.0.2u-1~deb9u4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H