#VU50740 NULL pointer dereference in OpenSSL


Published: 2021-02-17 | Updated: 2023-10-30

Vulnerability identifier: #VU50740

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23841

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the X509_issuer_and_serial_hash() function when parsing the issuer field in the X509 certificate. A remote attacker can supply a specially crafted certificate, trigger a NULL pointer dereference error and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 1.1.1 - 1.1.1i, 1.1.0 - 1.1.0l, 1.0.2 - 1.0.2x, 1.0.1 - 1.0.1u, 1.0.0 - 1.0.0t

Fixed software versions

CPE

External links
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
http://www.openssl.org/news/secadv/20210216.txt

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Rational Build Forge
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in IBM Engineering Workflow Management (EWM)
Multiple vulnerabilities in IBM Safer Payments
Multiple vulnerabilities in HPE HP-UX Using OpenSSL
Multiple vulnerabilities in IBM Aspera Orchestrator
Multiple vulnerabilities in Dell Storage Monitoring and Reporting (SMR)
Multiple vulnerabilities in IBM Aspera Faspex
Multiple vulnerabilities in IBM Security Verify Bridge
Multiple vulnerabilities in IBM MaaS360 Cloud Extender and Modules