CVE-2021-23840
Description
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
0.414
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-23841,CVE-2021-23840,CVE-2021-3712 are fixed in OpenSSL 1.1.1j | Windows |
| Vulnerabilities CVE-2021-23841,CVE-2021-23840,CVE-2021-3712 are fixed in OpenSSL (x64) 1.1.1j | Windows |
| Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 12 (x64) (12.21.0) | Windows |
| Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 12 (12.21.0) | Windows |
| Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 14 (x64) (14.16.0) | Windows |
| Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 14 (14.16.0) | Windows |
| Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 10 (x64) (10.24.0) | Windows |
| Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 10 (10.24.0) | Windows |
| Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 15.10.0 | Windows |
| Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 10 (x64) (10.24.1) | Windows |
| Vulnerabilities CVE-2021-23840,CVE-2021-23841,CVE-2021-20077 are fixed in Nessus Agent (8.2.3.20045) | Windows |
| Vulnerabilities CVE-2021-23840,CVE-2021-23841,CVE-2021-20077 are fixed in Nessus Agent (x64) (8.2.3.20045) | Windows |
| Multiple vulnerabilities are fixed in Couchbase Server Enterprise Edition 6.6.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1.7 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2.4 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 12.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.4 | Windows |
| Multiple Vulnerabilities are affected in Nessus Network Monitor 5.13.0 | Windows |
| Multiple Vulnerabilities are affected in Nessus Network Monitor 5.11.0 | Windows |
| Multiple Vulnerabilities are affected in Nessus Network Monitor 5.11.1 | Windows |
| Multiple Vulnerabilities are affected in Nessus Network Monitor 5.12.0 | Windows |
| Vulnerabilities CVE-2021-23840,CVE-2021-23841,CVE-2021-3449,CVE-2021-3450 are affected in Nessus Network Monitor 5.12.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.0 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 8.0 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.0 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.1 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0 | Windows |
| openssl security update(DSA-4855-1) openssl_1.1.1d-0+deb10u5_i386.deb | Linux |
| openssl security update(DSA-4855-1) openssl_1.1.1d-0+deb10u5_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.1_1.1.1f-1ubuntu2.2_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.1_1.1.1f-1ubuntu2.2_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.1_1.1.1f-1ubuntu4.2_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.1_1.1.1f-1ubuntu4.2_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.1_1.1.1-1ubuntu2.1~18.04.8_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.1_1.1.1-1ubuntu2.1~18.04.8_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.0.0_1.0.2n-1ubuntu5.6_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.0.0_1.0.2n-1ubuntu5.6_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.0.0_1.0.2g-1ubuntu4.19_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4738-1) libssl1.0.0_1.0.2g-1ubuntu4.19_amd64.deb | Linux |
| SUSE-SU-2021:0752-1(SUSE Linux Enterprise Server 12-SP5 ) libopenssl1_1-1.1.1d-2.30.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0752-1(SUSE Linux Enterprise Server 12-SP5 ) libopenssl1_1-32bit-1.1.1d-2.30.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0752-1(SUSE Linux Enterprise Server 12-SP5 ) libopenssl1_1-debuginfo-1.1.1d-2.30.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0752-1(SUSE Linux Enterprise Server 12-SP5 ) libopenssl1_1-debuginfo-32bit-1.1.1d-2.30.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0752-1(SUSE Linux Enterprise Server 12-SP5 ) openssl-1_1-1.1.1d-2.30.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0752-1(SUSE Linux Enterprise Server 12-SP5 ) openssl-1_1-debuginfo-1.1.1d-2.30.1.x86_64.rpm | Linux |
| SUSE-SU-2021:0752-1(SUSE Linux Enterprise Server 12-SP5 ) openssl-1_1-debugsource-1.1.1d-2.30.1.x86_64.rpm | Linux |
| UEFI firmware for virtual machines (USN-5088-1) ovmf_2020.11-4ubuntu0.1_all.deb | Linux |
| UEFI firmware for virtual machines (USN-5088-1) ovmf_0~20191122.bd85bf54-2ubuntu3.3_all.deb | Linux |
| UEFI firmware for virtual machines (USN-5088-1) qemu-efi_2020.11-4ubuntu0.1_all.deb | Linux |
| UEFI firmware for virtual machines (USN-5088-1) qemu-efi_0~20191122.bd85bf54-2ubuntu3.3_all.deb | Linux |
| UEFI firmware for virtual machines (USN-5088-1) ovmf-ia32_2020.11-4ubuntu0.1_all.deb | Linux |
| UEFI firmware for virtual machines (USN-5088-1) qemu-efi-arm_2020.11-4ubuntu0.1_all.deb | Linux |
| UEFI firmware for virtual machines (USN-5088-1) qemu-efi-arm_0~20191122.bd85bf54-2ubuntu3.3_all.deb | Linux |
| UEFI firmware for virtual machines (USN-5088-1) qemu-efi-aarch64_2020.11-4ubuntu0.1_all.deb | Linux |
| UEFI firmware for virtual machines (USN-5088-1) qemu-efi-aarch64_0~20191122.bd85bf54-2ubuntu3.3_all.deb | Linux |
| (RHSA-2021:3798) openssl security update openssl-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| (RHSA-2021:3798) openssl security update openssl-devel-1.0.2k-22.el7_9.i686.rpm | Linux |
| (RHSA-2021:3798) openssl security update openssl-devel-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| (RHSA-2021:3798) openssl security update openssl-libs-1.0.2k-22.el7_9.i686.rpm | Linux |
| (RHSA-2021:3798) openssl security update openssl-libs-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| (RHSA-2021:3798) openssl security update openssl-perl-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| (RHSA-2021:3798) openssl security update openssl-static-1.0.2k-22.el7_9.i686.rpm | Linux |
| (RHSA-2021:3798) openssl security update openssl-static-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| Openssl update (ELSA-2021-3798) openssl-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| Openssl-devel update (ELSA-2021-3798) openssl-devel-1.0.2k-22.el7_9.i686.rpm | Linux |
| Openssl-devel update (ELSA-2021-3798) openssl-devel-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| Openssl-libs update (ELSA-2021-3798) openssl-libs-1.0.2k-22.el7_9.i686.rpm | Linux |
| Openssl-libs update (ELSA-2021-3798) openssl-libs-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| Openssl-perl update (ELSA-2021-3798) openssl-perl-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| Openssl-static update (ELSA-2021-3798) openssl-static-1.0.2k-22.el7_9.i686.rpm | Linux |
| Openssl-static update (ELSA-2021-3798) openssl-static-1.0.2k-22.el7_9.x86_64.rpm | Linux |
| Integer Overflow or Wraparound Vulnerability (CVE-2021-23840) | NCM |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-329083 | Node.js 14 (x64) (14.21.3) |
| PATCH-329082 | Node.js 14 (14.21.3) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
| PATCH-319042 | Node.js 10 (10.24.1) |
| PATCH-319042 | Node.js 10 (10.24.1) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
| PATCH-337447 | Nessus Agent (10.6.1) |
| PATCH-337448 | Nessus Agent (x64) (10.6.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234