Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue.
Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y.
Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 67
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Openssl Openssl
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
|
1.0.2
|
1.0.2y
|
|
Openssl Openssl
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
|
1.1.1
|
1.1.1j
|
|
Debian Debian_Linux
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
— | — |
|
Tenable Log_Correlation_Engine
cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:*
|
— |
6.0.8
|
|
Tenable Nessus_Network_Monitor
cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:*
|
— | — |
|
Tenable Nessus_Network_Monitor
cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:*
|
— | — |
|
Tenable Nessus_Network_Monitor
cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:*
|
— | — |
|
Tenable Nessus_Network_Monitor
cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:*
|
— | — |
|
Tenable Nessus_Network_Monitor
cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:*
|
— | — |
|
Oracle Business_Intelligence
cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*
|
— | — |
|
Oracle Business_Intelligence
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
|
— | — |
|
Oracle Business_Intelligence
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
|
— | — |
|
Oracle Business_Intelligence
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
|
— | — |
|
Oracle Communications_Cloud_Native_Core_Policy
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
|
— | — |
|
Oracle Enterprise_Manager_For_Storage_Management
cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:*
|
— | — |
|
Oracle Enterprise_Manager_Ops_Center
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
|
— | — |
|
Oracle Graalvm
cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*
|
— | — |
|
Oracle Graalvm
cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*
|
— | — |
|
Oracle Graalvm
cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*
|
— | — |
|
Oracle Jd_Edwards_Enterpriseone_Tools
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
|
— |
9.2.6.0
|
|
Oracle Jd_Edwards_World_Security
cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
|
— | — |
|
Oracle Mysql_Server
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
|
— |
5.7.33
|
|
Oracle Mysql_Server
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
|
8.0.15
|
8.0.23
|
|
Oracle Nosql_Database
cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
|
— |
20.3
|
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*
|
— |
5.10.0
|
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*
|
— | — |
|
Mcafee Epolicy_Orchestrator
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*
|
— | — |
|
Fujitsu M10-1_Firmware
cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*
|
— |
xcp2410
|
|
Fujitsu M10-1
cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M10-4_Firmware
cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*
|
— |
xcp2410
|
|
Fujitsu M10-4
cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M10-4s_Firmware
cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*
|
— |
xcp2410
|
|
Fujitsu M10-4s
cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M12-1_Firmware
cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*
|
— |
xcp2410
|
|
Fujitsu M12-1
cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M12-2_Firmware
cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*
|
— |
xcp2410
|
|
Fujitsu M12-2
cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M12-2s_Firmware
cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*
|
— |
xcp2410
|
|
Fujitsu M12-2s
cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M10-1_Firmware
cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*
|
— |
xcp3110
|
|
Fujitsu M10-1
cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M10-4_Firmware
cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*
|
— |
xcp3110
|
|
Fujitsu M10-4
cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M10-4s_Firmware
cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*
|
— |
xcp3110
|
|
Fujitsu M10-4s
cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M12-1_Firmware
cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*
|
— |
xcp3110
|
|
Fujitsu M12-1
cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M12-2_Firmware
cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*
|
— |
xcp3110
|
|
Fujitsu M12-2
cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*
|
— | — |
|
Fujitsu M12-2s_Firmware
cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*
|
— |
xcp3110
|
|
Fujitsu M12-2s
cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*
|
— | — |
|
Nodejs Node.Js
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
|
10.0.0
|
<= 10.12.0
|
|
Nodejs Node.Js
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
|
10.13.0
|
10.24.0
|
|
Nodejs Node.Js
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
|
12.0.0
|
<= 12.12.0
|
|
Nodejs Node.Js
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
|
12.13.0
|
12.21.0
|
|
Nodejs Node.Js
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
|
14.0.0
|
<= 14.14.0
|
|
Nodejs Node.Js
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
|
15.0.0
|
15.10.0
|
|
Nodejs Node.Js
cpe:2.3:a:nodejs:node.js:14.15.0:*:*:*:lts:*:*:*
|
— | — |
References 20
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
openssl-security@openssl.org
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0b…
openssl-security@openssl.org
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb…
openssl-security@openssl.org
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
openssl-security@openssl.org
https://kc.mcafee.com/corporate/index?page=content&id=SB10366
openssl-security@openssl.org
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e…
openssl-security@openssl.org
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb…
openssl-security@openssl.org
https://security.gentoo.org/glsa/202103-03
openssl-security@openssl.org
https://security.netapp.com/advisory/ntap-20210219-0009/
openssl-security@openssl.org
https://security.netapp.com/advisory/ntap-20240621-0006/
openssl-security@openssl.org
https://www.debian.org/security/2021/dsa-4855
openssl-security@openssl.org
https://www.openssl.org/news/secadv/20210216.txt
openssl-security@openssl.org
https://www.oracle.com//security-alerts/cpujul2021.html
openssl-security@openssl.org
https://www.oracle.com/security-alerts/cpuApr2021.html
openssl-security@openssl.org
https://www.oracle.com/security-alerts/cpuapr2022.html
openssl-security@openssl.org
https://www.oracle.com/security-alerts/cpujan2022.html
openssl-security@openssl.org
https://www.oracle.com/security-alerts/cpuoct2021.html
openssl-security@openssl.org
https://www.tenable.com/security/tns-2021-03
openssl-security@openssl.org
https://www.tenable.com/security/tns-2021-09
openssl-security@openssl.org
https://www.tenable.com/security/tns-2021-10
openssl-security@openssl.org