CVE-2021-3712
Read buffer overruns processing ASN.1 strings
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).
Las cadenas ASN.1 se representan internamente en OpenSSL como una estructura ASN1_STRING que contiene un búfer que contiene los datos de la cadena y un campo que contiene la longitud del búfer. Esto contrasta con las cadenas C normales, que se representan como un búfer para los datos de la cadena que termina con un byte NUL (0). Aunque no es un requisito estricto, las cadenas ASN.1 que se analizan usando las propias funciones "d2i" de OpenSSL (y otras funciones de análisis similares), así como cualquier cadena cuyo valor ha sido ajustado con la función ASN1_STRING_set(), terminarán adicionalmente con NUL la matriz de bytes en la estructura ASN1_STRING. Sin embargo, es posible que las aplicaciones construyan directamente estructuras ASN1_STRING válidas que no terminen en NUL la matriz de bytes, ajustando directamente los campos "data" y "length" en la matriz ASN1_STRING. Esto también puede ocurrir usando la función ASN1_STRING_set0(). Se ha detectado que numerosas funciones de OpenSSL que imprimen datos ASN.1 asumen que la matriz de bytes ASN1_STRING estará terminada en NUL, aunque esto no está garantizado para las cadenas que han sido construidas directamente. Cuando una aplicación pide que se imprima una estructura ASN.1, y cuando esa estructura ASN.1 contiene ASN1_STRINGs que han sido construidos directamente por la aplicación sin terminar en NUL el campo "data", entonces puede ocurrir un desbordamiento del buffer de lectura. Lo mismo puede ocurrir durante el procesamiento de las restricciones de nombre de los certificados (por ejemplo, si un certificado ha sido construido directamente por la aplicación en lugar de cargarlo por medio de las funciones de análisis de OpenSSL, y el certificado contiene estructuras ASN1_STRING sin terminación NUL). También puede ocurrir en las funciones X509_get1_email(), X509_REQ_get1_email() y X509_get1_ocsp(). Si un actor malicioso puede hacer que una aplicación construya directamente un ASN1_STRING y luego lo procese a mediante una de las funciones de OpenSSL afectadas, este problema podría ser alcanzado. Esto podría resultar en un bloqueo (causando un ataque de Denegación de Servicio). También podría resultar en la revelación de contenidos de memoria privada (como claves privadas, o texto plano confidencial). Corregido en OpenSSL versión 1.1.1l (Afectada 1.1.1-1.1.1k). Corregido en OpenSSL versión 1.0.2za (Afectada 1.0.2-1.0.2y).
It was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-16 CVE Reserved
- 2021-08-24 CVE Published
- 2024-07-30 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-125: Out-of-bounds Read
CAPEC
References (23)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf | 2024-06-21 | |
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | 2024-06-21 | |
https://www.oracle.com/security-alerts/cpuapr2022.html | 2024-06-21 | |
https://www.oracle.com/security-alerts/cpuoct2021.html | 2024-06-21 | |
https://www.tenable.com/security/tns-2022-02 | 2024-06-21 |
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202209-02 | 2024-06-21 | |
https://security.gentoo.org/glsa/202210-02 | 2024-06-21 | |
https://www.debian.org/security/2021/dsa-4963 | 2024-06-21 | |
https://www.openssl.org/news/secadv/20210824.txt | 2024-06-21 | |
https://access.redhat.com/security/cve/CVE-2021-3712 | 2022-01-11 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1995634 | 2022-01-11 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 1.0.2 < 1.0.2za Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 < 1.0.2za" | - |
Affected
| ||||||
Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 1.1.1 < 1.1.1l Search vendor "Openssl" for product "Openssl" and version " >= 1.1.1 < 1.1.1l" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Clustered Data Ontap Antivirus Connector Search vendor "Netapp" for product "Clustered Data Ontap Antivirus Connector" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | E-series Santricity Os Controller Search vendor "Netapp" for product "E-series Santricity Os Controller" | >= 11.0 <= 11.50.2 Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0 <= 11.50.2" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Hci Management Node Search vendor "Netapp" for product "Hci Management Node" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Manageability Software Development Kit Search vendor "Netapp" for product "Manageability Software Development Kit" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Santricity Smi-s Provider Search vendor "Netapp" for product "Santricity Smi-s Provider" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Solidfire Search vendor "Netapp" for product "Solidfire" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Storage Encryption Search vendor "Netapp" for product "Storage Encryption" | - | - |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | < 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version " < 5.10.0" | - |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | - |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_1 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_10 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_2 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_3 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_4 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_5 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_6 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_7 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_8 |
Affected
| ||||||
Mcafee Search vendor "Mcafee" | Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator" | 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0" | update_9 |
Affected
| ||||||
Tenable Search vendor "Tenable" | Nessus Network Monitor Search vendor "Tenable" for product "Nessus Network Monitor" | < 6.0.0 Search vendor "Tenable" for product "Nessus Network Monitor" and version " < 6.0.0" | - |
Affected
| ||||||
Tenable Search vendor "Tenable" | Tenable.sc Search vendor "Tenable" for product "Tenable.sc" | >= 5.16.0 <= 5.19.1 Search vendor "Tenable" for product "Tenable.sc" and version " >= 5.16.0 <= 5.19.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Essbase Search vendor "Oracle" for product "Essbase" | < 11.1.2.4.047 Search vendor "Oracle" for product "Essbase" and version " < 11.1.2.4.047" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Essbase Search vendor "Oracle" for product "Essbase" | >= 21.0 < 21.3 Search vendor "Oracle" for product "Essbase" and version " >= 21.0 < 21.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Essbase Search vendor "Oracle" for product "Essbase" | 21.3 Search vendor "Oracle" for product "Essbase" and version "21.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Connectors Search vendor "Oracle" for product "Mysql Connectors" | <= 8.0.27 Search vendor "Oracle" for product "Mysql Connectors" and version " <= 8.0.27" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor" | <= 8.0.25 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.25" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Server Search vendor "Oracle" for product "Mysql Server" | >= 5.7.0 <= 5.7.35 Search vendor "Oracle" for product "Mysql Server" and version " >= 5.7.0 <= 5.7.35" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Server Search vendor "Oracle" for product "Mysql Server" | >= 8.0.0 <= 8.0.26 Search vendor "Oracle" for product "Mysql Server" and version " >= 8.0.0 <= 8.0.26" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Workbench Search vendor "Oracle" for product "Mysql Workbench" | <= 8.0.26 Search vendor "Oracle" for product "Mysql Workbench" and version " <= 8.0.26" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Secure Backup Search vendor "Oracle" for product "Secure Backup" | 18.1.0.1.0 Search vendor "Oracle" for product "Secure Backup" and version "18.1.0.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit" | 8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8" | - |
Affected
| ||||||
Siemens Search vendor "Siemens" | Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services" | < 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "1.9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" | 1.7.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.7.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" | 1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Border Controller Search vendor "Oracle" for product "Communications Session Border Controller" | 8.4 Search vendor "Oracle" for product "Communications Session Border Controller" and version "8.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Border Controller Search vendor "Oracle" for product "Communications Session Border Controller" | 9.0 Search vendor "Oracle" for product "Communications Session Border Controller" and version "9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Unified Session Manager Search vendor "Oracle" for product "Communications Unified Session Manager" | 8.2.5 Search vendor "Oracle" for product "Communications Unified Session Manager" and version "8.2.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Unified Session Manager Search vendor "Oracle" for product "Communications Unified Session Manager" | 8.4.5 Search vendor "Oracle" for product "Communications Unified Session Manager" and version "8.4.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Enterprise Communications Broker Search vendor "Oracle" for product "Enterprise Communications Broker" | 3.2.0 Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.2.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Enterprise Communications Broker Search vendor "Oracle" for product "Enterprise Communications Broker" | 3.3.0 Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Enterprise Session Border Controller Search vendor "Oracle" for product "Enterprise Session Border Controller" | 8.4 Search vendor "Oracle" for product "Enterprise Session Border Controller" and version "8.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Enterprise Session Border Controller Search vendor "Oracle" for product "Enterprise Session Border Controller" | 9.0 Search vendor "Oracle" for product "Enterprise Session Border Controller" and version "9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Health Sciences Inform Publisher Search vendor "Oracle" for product "Health Sciences Inform Publisher" | 6.2.1.0 Search vendor "Oracle" for product "Health Sciences Inform Publisher" and version "6.2.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Health Sciences Inform Publisher Search vendor "Oracle" for product "Health Sciences Inform Publisher" | 6.3.1.1 Search vendor "Oracle" for product "Health Sciences Inform Publisher" and version "6.3.1.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" | < 9.2.6.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.6.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jd Edwards World Security Search vendor "Oracle" for product "Jd Edwards World Security" | a9.4 Search vendor "Oracle" for product "Jd Edwards World Security" and version "a9.4" | - |
Affected
|