CVE-2021-3711

{"id": "CVE-2021-3711", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-08-24T15:15:09.133", "references": [{"url": "http://www.openwall.com/lists/oss-security/2021/08/26/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", "source": "openssl-security@openssl.org"}, {"url": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", "source": "openssl-security@openssl.org"}, {"url": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", "source": "openssl-security@openssl.org"}, {"url": "https://security.gentoo.org/glsa/202209-02", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://security.gentoo.org/glsa/202210-02", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://security.netapp.com/advisory/ntap-20210827-0010/", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://security.netapp.com/advisory/ntap-20211022-0003/", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "source": "openssl-security@openssl.org"}, {"url": "https://www.debian.org/security/2021/dsa-4963", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.openssl.org/news/secadv/20210824.txt", "tags": ["Vendor Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.tenable.com/security/tns-2021-16", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.tenable.com/security/tns-2022-02", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k)."}, {"lang": "es", "value": "Para descifrar los datos cifrados de SM2 se espera que una aplicaci\u00f3n llame a la funci\u00f3n de la API EVP_PKEY_decrypt(). Normalmente, una aplicaci\u00f3n llamar\u00e1 a esta funci\u00f3n dos veces. La primera vez, al entrar, el par\u00e1metro \"out\" puede ser NULL y, al salir, el par\u00e1metro \"outlen\" se rellena con el tama\u00f1o del b\u00fafer necesario para contener el texto plano descifrado. La aplicaci\u00f3n puede entonces asignar un b\u00fafer de tama\u00f1o suficiente y llamar de nuevo a EVP_PKEY_decrypt(), pero esta vez pasando un valor no NULL para el par\u00e1metro \"out\". Un bug en la implementaci\u00f3n del c\u00f3digo de descifrado SM2 significa que el c\u00e1lculo del tama\u00f1o del b\u00fafer necesario para mantener el texto plano devuelto por la primera llamada a EVP_PKEY_decrypt() puede ser menor que el tama\u00f1o real requerido por la segunda llamada. Esto puede conllevar a un desbordamiento del b\u00fafer cuando la aplicaci\u00f3n llama a EVP_PKEY_decrypt() por segunda vez con un b\u00fafer demasiado peque\u00f1o. Un atacante malicioso que sea capaz de presentar el contenido de SM2 para su descifrado a una aplicaci\u00f3n podr\u00eda causar que los datos elegidos por el atacante desborden el b\u00fafer hasta un m\u00e1ximo de 62 bytes alterando el contenido de otros datos mantenidos despu\u00e9s del b\u00fafer, posiblemente cambiando el comportamiento de la aplicaci\u00f3n o causando el bloqueo de la misma. La ubicaci\u00f3n del b\u00fafer depende de la aplicaci\u00f3n, pero normalmente se asigna a la pila. Corregido en OpenSSL versi\u00f3n 1.1.1l (Afectada 1.1.1-1.1.1k)."}], "lastModified": "2024-06-21T19:15:20.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9592A08-7FF0-490F-B684-6EA8E49F36C7", "versionEndExcluding": "1.1.1l", "versionStartIncluding": "1.1.1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "vulnerable": true, "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5"}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE"}, {"criteria": "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FE996B1-6951-4F85-AA58-B99A379D2163"}, {"criteria": "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62347994-1353-497C-9C4A-D5D8D95F67E8"}, {"criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "433D435D-13D0-4EAA-ACD9-DD88DA712D00", "versionEndIncluding": "11.50.2", "versionStartIncluding": "11.0"}, {"criteria": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3C19813-E823-456A-B1CE-EC0684CE1953"}, {"criteria": "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D39DCAE7-494F-40B2-867F-6C6A077939DD"}, {"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5"}, {"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3"}, {"criteria": "cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "361B791A-D336-4431-8F68-8135BEFFAEA2"}, {"criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94"}, {"criteria": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737"}, {"criteria": "cpe:2.3:a:netapp:storage_encryption:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D82795C-F1ED-4D2C-B578-75B9EECBB99C"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD4349FE-EEF8-489A-8ABF-5FCD55EC6DE0"}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6EAA723-2A23-4151-930B-86ACF9CC1C0C"}, {"criteria": "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C416FD3-2E2F-4BBC-BD5F-F896825883F4"}, {"criteria": "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D886339E-EDB2-4879-BD54-1800E4CA9CAE"}, {"criteria": "cpe:2.3:a:oracle:communications_unified_session_manager:8.2.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB468FEE-A0F4-49A0-BBEE-10D0733C87D4"}, {"criteria": "cpe:2.3:a:oracle:communications_unified_session_manager:8.4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC5C177E-0C77-48C9-847A-A9E5AA7DBC1F"}, {"criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "348EEE70-E114-4720-AAAF-E77DE5C9A2D1"}, {"criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DCDD73B-57B1-4580-B922-5662E3AC13B6"}, {"criteria": "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7015A8CB-8FA6-423E-8307-BD903244F517"}, {"criteria": "cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9A4E206-56C7-4578-AC9C-088B0C8D9CFE"}, {"criteria": "cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C78A7E07-AB08-46C5-942D-B40BBE0C0D06", "versionEndExcluding": "11.1.2.4.47"}, {"criteria": "cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F2A9C248-94B0-4F7B-AD9C-4BE55AA1E3F2", "versionEndExcluding": "21.3", "versionStartIncluding": "21.1"}, {"criteria": "cpe:2.3:a:oracle:health_sciences_inform_publisher:6.2.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F12453B-0E7B-46B9-ADEC-0AC5EDC41058"}, {"criteria": "cpe:2.3:a:oracle:health_sciences_inform_publisher:6.3.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D105A5B-0AA8-4782-B804-CB1384F85884"}, {"criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE34D4F7-5C18-4578-8D0A-722FDF931333", "versionEndExcluding": "9.2.6.3"}, {"criteria": "cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B1CAD50-749F-4ADB-A046-BF3585677A58"}, {"criteria": "cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE23C7E1-F849-411D-850F-A504D4BA3414", "versionEndIncluding": "8.0.27"}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88627B99-16DC-4878-A63A-A40F6FC1F477", "versionEndIncluding": "8.0.25"}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E667933A-37EA-4BC2-9180-C3B4B7038866", "versionEndIncluding": "5.7.35", "versionStartIncluding": "5.7.0"}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "709E83B4-8C66-4255-870B-2F72B37BA8C6", "versionEndIncluding": "8.0.26", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D"}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9"}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597"}, {"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tenable:nessus_network_monitor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FD1ED11-84AA-47E6-AD00-E08D035AF53B", "versionEndIncluding": "5.13.1"}, {"criteria": "cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D977244-DC29-4301-8D89-0BD01BC328B8", "versionEndIncluding": "5.19.1", "versionStartIncluding": "5.16.0"}], "operator": "OR"}]}], "sourceIdentifier": "openssl-security@openssl.org"}