CVE-2021-3618

Description

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

How to fix CVE-2021-3618

To remediate CVE-2021-3618, upgrade the affected package to a fixed version below.

• —upgrade to 1.20.1-r1 or later
• —upgrade to 1.21.0 or later
• —upgrade to 1.21.0 or later
• —upgrade to 1.14.2-2+deb10u5 or later
• —upgrade to 1.18.0-6.1+deb11u2 or later
• —no fix listed
• —no fix listed

Is CVE-2021-3618 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 1.20.1-r1
• from 0, < 1.21.0
• from 0, < 1.21.0
• from 0, < 1.14.2-2+deb10u5
• from 0, < 1.18.0-6.1+deb11u2
• from 0
• from 0

CVSS scores

References (6)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-3618
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3618
• WEBalpaca-attack.com
• WEBbugzilla.redhat.com/show_bug.cgi?id=1975623
• WEBlists.debian.org