Vulnerability Details CVE-2021-23840
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.4%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://security.gentoo.org/glsa/202103-03
- https://security.netapp.com/advisory/ntap-20210219-0009/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.debian.org/security/2021/dsa-4855
- https://www.openssl.org/news/secadv/20210216.txt
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-03
- https://www.tenable.com/security/tns-2021-09
- https://www.tenable.com/security/tns-2021-10
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://security.gentoo.org/glsa/202103-03
- https://security.netapp.com/advisory/ntap-20210219-0009/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.debian.org/security/2021/dsa-4855
- https://www.openssl.org/news/secadv/20210216.txt
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-03
- https://www.tenable.com/security/tns-2021-09
- https://www.tenable.com/security/tns-2021-10
Products affected by CVE-2021-23840
-
cpe:2.3:a:mcafee:epolicy_orchestrator:-
-
cpe:2.3:a:mcafee:epolicy_orchestrator:2.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:2.5
-
cpe:2.3:a:mcafee:epolicy_orchestrator:2.5.1
-
cpe:2.3:a:mcafee:epolicy_orchestrator:3.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:3.5.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:3.6.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:3.6.1
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.3
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.4
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.5
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.6
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.7
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.1
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.2
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.3
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.4
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.5
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.6
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.7
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.8
-
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.9
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.1
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.1
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.2
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.3
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.3.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.3.1
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.3.2
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.3.3
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0
-
cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1
-
cpe:2.3:a:nodejs:node.js:10.0.0
-
cpe:2.3:a:nodejs:node.js:10.1.0
-
cpe:2.3:a:nodejs:node.js:10.10.0
-
cpe:2.3:a:nodejs:node.js:10.11.0
-
cpe:2.3:a:nodejs:node.js:10.12.0
-
cpe:2.3:a:nodejs:node.js:10.13.0
-
cpe:2.3:a:nodejs:node.js:10.14.0
-
cpe:2.3:a:nodejs:node.js:10.14.1
-
cpe:2.3:a:nodejs:node.js:10.14.2
-
cpe:2.3:a:nodejs:node.js:10.15.0
-
cpe:2.3:a:nodejs:node.js:10.15.1
-
cpe:2.3:a:nodejs:node.js:10.15.2
-
cpe:2.3:a:nodejs:node.js:10.15.3
-
cpe:2.3:a:nodejs:node.js:10.16.0
-
cpe:2.3:a:nodejs:node.js:10.16.1
-
cpe:2.3:a:nodejs:node.js:10.16.2
-
cpe:2.3:a:nodejs:node.js:10.16.3
-
cpe:2.3:a:nodejs:node.js:10.17.0
-
cpe:2.3:a:nodejs:node.js:10.18.0
-
cpe:2.3:a:nodejs:node.js:10.18.1
-
cpe:2.3:a:nodejs:node.js:10.19.0
-
cpe:2.3:a:nodejs:node.js:10.2.0
-
cpe:2.3:a:nodejs:node.js:10.2.1
-
cpe:2.3:a:nodejs:node.js:10.20.0
-
cpe:2.3:a:nodejs:node.js:10.20.1
-
cpe:2.3:a:nodejs:node.js:10.21.0
-
cpe:2.3:a:nodejs:node.js:10.22.0
-
cpe:2.3:a:nodejs:node.js:10.22.1
-
cpe:2.3:a:nodejs:node.js:10.23.0
-
cpe:2.3:a:nodejs:node.js:10.23.1
-
cpe:2.3:a:nodejs:node.js:10.23.2
-
cpe:2.3:a:nodejs:node.js:10.23.3
-
cpe:2.3:a:nodejs:node.js:10.3.0
-
cpe:2.3:a:nodejs:node.js:10.4.0
-
cpe:2.3:a:nodejs:node.js:10.4.1
-
cpe:2.3:a:nodejs:node.js:10.5.0
-
cpe:2.3:a:nodejs:node.js:10.6.0
-
cpe:2.3:a:nodejs:node.js:10.7.0
-
cpe:2.3:a:nodejs:node.js:10.8.0
-
cpe:2.3:a:nodejs:node.js:10.9.0
-
cpe:2.3:a:nodejs:node.js:12.0.0
-
cpe:2.3:a:nodejs:node.js:12.1.0
-
cpe:2.3:a:nodejs:node.js:12.10.0
-
cpe:2.3:a:nodejs:node.js:12.11.0
-
cpe:2.3:a:nodejs:node.js:12.11.1
-
cpe:2.3:a:nodejs:node.js:12.12.0
-
cpe:2.3:a:nodejs:node.js:12.13.0
-
cpe:2.3:a:nodejs:node.js:12.13.1
-
cpe:2.3:a:nodejs:node.js:12.14.0
-
cpe:2.3:a:nodejs:node.js:12.14.1
-
cpe:2.3:a:nodejs:node.js:12.15.0
-
cpe:2.3:a:nodejs:node.js:12.16.0
-
cpe:2.3:a:nodejs:node.js:12.16.1
-
cpe:2.3:a:nodejs:node.js:12.16.2
-
cpe:2.3:a:nodejs:node.js:12.16.3
-
cpe:2.3:a:nodejs:node.js:12.17.0
-
cpe:2.3:a:nodejs:node.js:12.18.0
-
cpe:2.3:a:nodejs:node.js:12.18.1
-
cpe:2.3:a:nodejs:node.js:12.18.2
-
cpe:2.3:a:nodejs:node.js:12.18.3
-
cpe:2.3:a:nodejs:node.js:12.18.4
-
cpe:2.3:a:nodejs:node.js:12.19.0
-
cpe:2.3:a:nodejs:node.js:12.19.1
-
cpe:2.3:a:nodejs:node.js:12.2.0
-
cpe:2.3:a:nodejs:node.js:12.20.0
-
cpe:2.3:a:nodejs:node.js:12.20.1
-
cpe:2.3:a:nodejs:node.js:12.20.2
-
cpe:2.3:a:nodejs:node.js:12.3.0
-
cpe:2.3:a:nodejs:node.js:12.3.1
-
cpe:2.3:a:nodejs:node.js:12.4.0
-
cpe:2.3:a:nodejs:node.js:12.5.0
-
cpe:2.3:a:nodejs:node.js:12.6.0
-
cpe:2.3:a:nodejs:node.js:12.7.0
-
cpe:2.3:a:nodejs:node.js:12.8.0
-
cpe:2.3:a:nodejs:node.js:12.8.1
-
cpe:2.3:a:nodejs:node.js:12.9.0
-
cpe:2.3:a:nodejs:node.js:12.9.1
-
cpe:2.3:a:nodejs:node.js:14.0.0
-
cpe:2.3:a:nodejs:node.js:14.1.0
-
cpe:2.3:a:nodejs:node.js:14.10.0
-
cpe:2.3:a:nodejs:node.js:14.10.1
-
cpe:2.3:a:nodejs:node.js:14.11.0
-
cpe:2.3:a:nodejs:node.js:14.12.0
-
cpe:2.3:a:nodejs:node.js:14.13.0
-
cpe:2.3:a:nodejs:node.js:14.13.1
-
cpe:2.3:a:nodejs:node.js:14.14.0
-
cpe:2.3:a:nodejs:node.js:14.15.0
-
cpe:2.3:a:nodejs:node.js:14.2.0
-
cpe:2.3:a:nodejs:node.js:14.3.0
-
cpe:2.3:a:nodejs:node.js:14.4.0
-
cpe:2.3:a:nodejs:node.js:14.5.0
-
cpe:2.3:a:nodejs:node.js:14.6.0
-
cpe:2.3:a:nodejs:node.js:14.7.0
-
cpe:2.3:a:nodejs:node.js:14.8.0
-
cpe:2.3:a:nodejs:node.js:14.9.0
-
cpe:2.3:a:nodejs:node.js:15.0.0
-
cpe:2.3:a:nodejs:node.js:15.0.1
-
cpe:2.3:a:nodejs:node.js:15.1.0
-
cpe:2.3:a:nodejs:node.js:15.2.0
-
cpe:2.3:a:nodejs:node.js:15.2.1
-
cpe:2.3:a:nodejs:node.js:15.3.0
-
cpe:2.3:a:nodejs:node.js:15.4.0
-
cpe:2.3:a:nodejs:node.js:15.5.0
-
cpe:2.3:a:nodejs:node.js:15.5.1
-
cpe:2.3:a:nodejs:node.js:15.6.0
-
cpe:2.3:a:nodejs:node.js:15.7.0
-
cpe:2.3:a:nodejs:node.js:15.8.0
-
cpe:2.3:a:nodejs:node.js:15.9.0
-
cpe:2.3:a:openssl:openssl:1.0.2
-
cpe:2.3:a:openssl:openssl:1.0.2a
-
cpe:2.3:a:openssl:openssl:1.0.2b
-
cpe:2.3:a:openssl:openssl:1.0.2c
-
cpe:2.3:a:openssl:openssl:1.0.2d
-
cpe:2.3:a:openssl:openssl:1.0.2e
-
cpe:2.3:a:openssl:openssl:1.0.2f
-
cpe:2.3:a:openssl:openssl:1.0.2g
-
cpe:2.3:a:openssl:openssl:1.0.2h
-
cpe:2.3:a:openssl:openssl:1.0.2i
-
cpe:2.3:a:openssl:openssl:1.0.2j
-
cpe:2.3:a:openssl:openssl:1.0.2k
-
cpe:2.3:a:openssl:openssl:1.0.2l
-
cpe:2.3:a:openssl:openssl:1.0.2m
-
cpe:2.3:a:openssl:openssl:1.0.2n
-
cpe:2.3:a:openssl:openssl:1.0.2o
-
cpe:2.3:a:openssl:openssl:1.0.2p
-
cpe:2.3:a:openssl:openssl:1.0.2q
-
cpe:2.3:a:openssl:openssl:1.0.2r
-
cpe:2.3:a:openssl:openssl:1.0.2s
-
cpe:2.3:a:openssl:openssl:1.0.2t
-
cpe:2.3:a:openssl:openssl:1.0.2u
-
cpe:2.3:a:openssl:openssl:1.0.2v
-
cpe:2.3:a:openssl:openssl:1.0.2w
-
cpe:2.3:a:openssl:openssl:1.0.2x
-
cpe:2.3:a:openssl:openssl:1.1.1
-
cpe:2.3:a:openssl:openssl:1.1.1a
-
cpe:2.3:a:openssl:openssl:1.1.1b
-
cpe:2.3:a:openssl:openssl:1.1.1c
-
cpe:2.3:a:openssl:openssl:1.1.1d
-
cpe:2.3:a:openssl:openssl:1.1.1e
-
cpe:2.3:a:openssl:openssl:1.1.1f
-
cpe:2.3:a:openssl:openssl:1.1.1g
-
cpe:2.3:a:openssl:openssl:1.1.1h
-
cpe:2.3:a:openssl:openssl:1.1.1i
-
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0
-
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0
-
cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0
-
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0
-
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0
-
cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0
-
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0
-
cpe:2.3:a:oracle:graalvm:19.3.5
-
cpe:2.3:a:oracle:graalvm:20.3.1.2
-
cpe:2.3:a:oracle:graalvm:21.0.0.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3
-
cpe:2.3:a:oracle:jd_edwards_world_security:a9.4
-
cpe:2.3:a:oracle:mysql_server:-
-
cpe:2.3:a:oracle:mysql_server:5.0.0
-
cpe:2.3:a:oracle:mysql_server:5.7.0
-
cpe:2.3:a:oracle:mysql_server:5.7.26
-
cpe:2.3:a:oracle:mysql_server:5.7.27
-
cpe:2.3:a:oracle:mysql_server:5.7.28
-
cpe:2.3:a:oracle:mysql_server:5.7.32
-
cpe:2.3:a:oracle:mysql_server:8.0.15
-
cpe:2.3:a:oracle:mysql_server:8.0.17
-
cpe:2.3:a:oracle:mysql_server:8.0.22
-
cpe:2.3:a:oracle:nosql_database:19.3.12
-
cpe:2.3:a:tenable:log_correlation_engine:-
-
cpe:2.3:a:tenable:log_correlation_engine:4.8.0
-
cpe:2.3:a:tenable:log_correlation_engine:4.8.1
-
cpe:2.3:a:tenable:log_correlation_engine:4.8.2
-
cpe:2.3:a:tenable:nessus_network_monitor:5.11.0
-
cpe:2.3:a:tenable:nessus_network_monitor:5.11.1
-
cpe:2.3:a:tenable:nessus_network_monitor:5.12.0
-
cpe:2.3:a:tenable:nessus_network_monitor:5.12.1
-
cpe:2.3:a:tenable:nessus_network_monitor:5.13.0
-
cpe:2.3:h:fujitsu:m10-1:-
-
cpe:2.3:h:fujitsu:m10-4:-
-
cpe:2.3:h:fujitsu:m10-4s:-
-
cpe:2.3:h:fujitsu:m12-1:-
-
cpe:2.3:h:fujitsu:m12-2:-
-
cpe:2.3:h:fujitsu:m12-2s:-
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:fujitsu:m10-1_firmware:-
-
cpe:2.3:o:fujitsu:m10-1_firmware:xcp
-
cpe:2.3:o:fujitsu:m10-1_firmware:xcp2280
-
cpe:2.3:o:fujitsu:m10-1_firmware:xcp2361
-
cpe:2.3:o:fujitsu:m10-1_firmware:xcp2400
-
cpe:2.3:o:fujitsu:m10-1_firmware:xcp2410
-
cpe:2.3:o:fujitsu:m10-1_firmware:xcp3070
-
cpe:2.3:o:fujitsu:m10-1_firmware:xcp3100
-
cpe:2.3:o:fujitsu:m10-4_firmware:-
-
cpe:2.3:o:fujitsu:m10-4_firmware:xcp
-
cpe:2.3:o:fujitsu:m10-4_firmware:xcp2280
-
cpe:2.3:o:fujitsu:m10-4_firmware:xcp2361
-
cpe:2.3:o:fujitsu:m10-4_firmware:xcp2400
-
cpe:2.3:o:fujitsu:m10-4_firmware:xcp2410
-
cpe:2.3:o:fujitsu:m10-4_firmware:xcp3070
-
cpe:2.3:o:fujitsu:m10-4_firmware:xcp3100
-
cpe:2.3:o:fujitsu:m10-4s_firmware:-
-
cpe:2.3:o:fujitsu:m10-4s_firmware:xcp
-
cpe:2.3:o:fujitsu:m10-4s_firmware:xcp2280
-
cpe:2.3:o:fujitsu:m10-4s_firmware:xcp2361
-
cpe:2.3:o:fujitsu:m10-4s_firmware:xcp2400
-
cpe:2.3:o:fujitsu:m10-4s_firmware:xcp2410
-
cpe:2.3:o:fujitsu:m10-4s_firmware:xcp3070
-
cpe:2.3:o:fujitsu:m10-4s_firmware:xcp3100
-
cpe:2.3:o:fujitsu:m12-1_firmware:-
-
cpe:2.3:o:fujitsu:m12-1_firmware:xcp2361
-
cpe:2.3:o:fujitsu:m12-1_firmware:xcp2400
-
cpe:2.3:o:fujitsu:m12-1_firmware:xcp2410
-
cpe:2.3:o:fujitsu:m12-1_firmware:xcp3070
-
cpe:2.3:o:fujitsu:m12-1_firmware:xcp3090
-
cpe:2.3:o:fujitsu:m12-1_firmware:xcp3100
-
cpe:2.3:o:fujitsu:m12-2_firmware:-
-
cpe:2.3:o:fujitsu:m12-2_firmware:xcp2361
-
cpe:2.3:o:fujitsu:m12-2_firmware:xcp2400
-
cpe:2.3:o:fujitsu:m12-2_firmware:xcp2410
-
cpe:2.3:o:fujitsu:m12-2_firmware:xcp3070
-
cpe:2.3:o:fujitsu:m12-2_firmware:xcp3090
-
cpe:2.3:o:fujitsu:m12-2_firmware:xcp3100
-
cpe:2.3:o:fujitsu:m12-2s_firmware:-
-
cpe:2.3:o:fujitsu:m12-2s_firmware:xcp2361
-
cpe:2.3:o:fujitsu:m12-2s_firmware:xcp2400
-
cpe:2.3:o:fujitsu:m12-2s_firmware:xcp2410
-
cpe:2.3:o:fujitsu:m12-2s_firmware:xcp3070
-
cpe:2.3:o:fujitsu:m12-2s_firmware:xcp3090
-
cpe:2.3:o:fujitsu:m12-2s_firmware:xcp3100