Denial of Service : OpenSSL: Integer overflow in CipherUpdate (CVE-2021-23840)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.145407

Categoría: Denial of Service

Título: OpenSSL: Integer overflow in CipherUpdate (CVE-2021-23840) - Linux

Resumen: OpenSSL is prone to an integer overflow vulnerability.

Descripción: Summary:
OpenSSL is prone to an integer overflow vulnerability.

Vulnerability Insight:
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
overflow the output length argument in some cases where the input length is close to the maximum permissible
length for an integer on the platform. In such cases the return value from the function call will be 1
(indicating success), but the output length value will be negative.

Vulnerability Impact:
This vulnerability could cause applications to behave incorrectly or crash.

Affected Software/OS:
OpenSSL versions 1.0.2x and prior and 1.1.1i and prior.

Solution:
Update to version 1.0.2y, 1.1.1j or later. See the references for
more details.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2021-23840
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
https://kc.mcafee.com/corporate/index?page=content&id=SB10366
https://security.netapp.com/advisory/ntap-20210219-0009/
https://www.openssl.org/news/secadv/20210216.txt
https://www.tenable.com/security/tns-2021-03
https://www.tenable.com/security/tns-2021-09
https://www.tenable.com/security/tns-2021-10
Debian Security Information: DSA-4855 (Google Search)
https://www.debian.org/security/2021/dsa-4855
https://security.gentoo.org/glsa/202103-03
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E

Copyright Copyright (C) 2021 Greenbone Networks GmbH

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.145407
Categoría:	Denial of Service
Título:	OpenSSL: Integer overflow in CipherUpdate (CVE-2021-23840) - Linux
Resumen:	OpenSSL is prone to an integer overflow vulnerability.
Descripción:	Summary: OpenSSL is prone to an integer overflow vulnerability. Vulnerability Insight: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. Vulnerability Impact: This vulnerability could cause applications to behave incorrectly or crash. Affected Software/OS: OpenSSL versions 1.0.2x and prior and 1.1.1i and prior. Solution: Update to version 1.0.2y, 1.1.1j or later. See the references for more details. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2021-23840 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846 https://kc.mcafee.com/corporate/index?page=content&id=SB10366 https://security.netapp.com/advisory/ntap-20210219-0009/ https://www.openssl.org/news/secadv/20210216.txt https://www.tenable.com/security/tns-2021-03 https://www.tenable.com/security/tns-2021-09 https://www.tenable.com/security/tns-2021-10 Debian Security Information: DSA-4855 (Google Search) https://www.debian.org/security/2021/dsa-4855 https://security.gentoo.org/glsa/202103-03 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
Copyright	Copyright (C) 2021 Greenbone Networks GmbH