#VU50745 Input validation error in OpenSSL


Published: 2021-02-17 | Updated: 2022-06-03

Vulnerability identifier: #VU50745

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23840

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input during EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate calls. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 1.1.1 - 1.1.1i, 1.1.0 - 1.1.0l, 1.0.2 - 1.0.2x, 1.0.1 - 1.0.1u, 1.0.0 - 1.0.0t

CPE

External links
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
http://www.openssl.org/news/secadv/20210216.txt

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in HPE HP-UX Using OpenSSL
Multiple vulnerabilities in IBM Aspera Orchestrator
Multiple vulnerabilities in Dell Storage Monitoring and Reporting (SMR)
Multiple vulnerabilities in Juniper Networks Contrail Networking
Multiple vulnerabilities in IBM Aspera Faspex
Multiple vulnerabilities in IBM Security Verify Bridge
Multiple vulnerabilities in IBM MaaS360 Cloud Extender and Modules
Multiple vulnerabilities in IBM Security Verify products
Multiple vulnerabilities in IBM InfoSphere Information Server
Denial of service in IBM DataPower Gateway