CVE-2020-1971: Null Pointer Dereference

First published: Wed Dec 02 2020(Updated: )

A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Credit: openssl-security@openssl.org

Affected Software	Affected Version	How to fix
redhat/jbcs-httpd24-brotli	<0:1.0.6-40.jbcs.el7	0:1.0.6-40.jbcs.el7
redhat/jbcs-httpd24-httpd	<0:2.4.37-66.jbcs.el7	0:2.4.37-66.jbcs.el7
redhat/jbcs-httpd24-nghttp2	<0:1.39.2-35.jbcs.el7	0:1.39.2-35.jbcs.el7
redhat/jbcs-httpd24-openssl	<1:1.1.1g-3.jbcs.el7	1:1.1.1g-3.jbcs.el7
redhat/jbcs-httpd24-openssl-chil	<0:1.0.0-3.jbcs.el7	0:1.0.0-3.jbcs.el7
redhat/jbcs-httpd24-openssl-pkcs11	<0:0.4.10-18.jbcs.el7	0:0.4.10-18.jbcs.el7
redhat/openssl	<0:1.0.1e-59.el6_10	0:1.0.1e-59.el6_10
redhat/openssl	<1:1.0.2k-21.el7_9	1:1.0.2k-21.el7_9
redhat/openssl	<1:1.0.1e-52.el7_2	1:1.0.1e-52.el7_2
redhat/openssl	<1:1.0.1e-61.el7_3	1:1.0.1e-61.el7_3
redhat/openssl	<1:1.0.2k-9.el7_4	1:1.0.2k-9.el7_4
redhat/openssl	<1:1.0.2k-17.el7_6	1:1.0.2k-17.el7_6
redhat/openssl	<1:1.0.2k-20.el7_7	1:1.0.2k-20.el7_7
redhat/openssl	<1:1.1.1g-12.el8_3	1:1.1.1g-12.el8_3
redhat/openssl	<1:1.1.1-9.el8_0	1:1.1.1-9.el8_0
redhat/openssl	<1:1.1.1c-3.el8_1	1:1.1.1c-3.el8_1
redhat/openssl	<1:1.1.1c-16.el8_2	1:1.1.1c-16.el8_2
redhat/tomcat-native	<0:1.2.23-23.redhat_23.ep7.el7	0:1.2.23-23.redhat_23.ep7.el7
redhat/jws5-tomcat	<0:9.0.36-9.redhat_8.1.el7	0:9.0.36-9.redhat_8.1.el7
redhat/jws5-tomcat-native	<0:1.2.25-3.redhat_3.el7	0:1.2.25-3.redhat_3.el7
redhat/jws5-tomcat	<0:9.0.36-9.redhat_8.1.el8	0:9.0.36-9.redhat_8.1.el8
redhat/jws5-tomcat-native	<0:1.2.25-3.redhat_3.el8	0:1.2.25-3.redhat_3.el8
IBM Cognos Analytics	<=12.0.0-12.0.1
IBM Cognos Analytics	<=11.2.0-11.2.4 FP2
IBM Cognos Analytics	<=11.1.1-11.1.7 FP7
redhat/openssl	<1.1.1	1.1.1
OpenSSL OpenSSL	>=1.0.2<1.0.2x
OpenSSL OpenSSL	>=1.1.1<1.1.1i
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
Fedoraproject Fedora	=32
Fedoraproject Fedora	=33
Oracle API Gateway	=11.1.2.4.0
Oracle Business Intelligence	=5.5.0.0.0
Oracle Business Intelligence	=5.9.0.0.0
Oracle Business Intelligence	=12.2.1.3.0
Oracle Business Intelligence	=12.2.1.4.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment	=1.10.0
Oracle Communications Diameter Intelligence Hub	>=8.0.0<=8.1.0
Oracle Communications Diameter Intelligence Hub	>=8.2.0<=8.2.3
Oracle Communications Session Border Controller	=cz8.2
Oracle Communications Session Border Controller	=cz8.3
Oracle Communications Session Border Controller	=cz8.4
Oracle Communications Session Router	=cz8.2
Oracle Communications Session Router	=cz8.3
Oracle Communications Session Router	=cz8.4
Oracle Communications Subscriber-aware Load Balancer	=cz8.2
Oracle Communications Subscriber-aware Load Balancer	=cz8.3
Oracle Communications Subscriber-aware Load Balancer	=cz8.4
Oracle Communications Unified Session Manager	=scz8.2.5
Oracle Enterprise Communications Broker	=pcz3.1
Oracle Enterprise Communications Broker	=pcz3.2
Oracle Enterprise Communications Broker	=pcz3.3
Oracle Enterprise Manager Base Platform	=13.3.0.0
Oracle Enterprise Manager Base Platform	=13.4.0.0
Oracle Enterprise Manager For Storage Management	=13.4.0.0
Oracle Enterprise Manager Ops Center	=12.4.0.0
Oracle Enterprise Session Border Controller	=cz8.2
Oracle Enterprise Session Border Controller	=cz8.3
Oracle Enterprise Session Border Controller	=cz8.4
Oracle Essbase	=21.2
Oracle GraalVM	=19.3.4
Oracle GraalVM	=20.3.0
Oracle HTTP Server	=12.2.1.4.0
Oracle Jd Edwards Enterpriseone Tools	<9.2.5.3
Oracle Jd Edwards World Security	=a9.4
Oracle MySQL	<=8.0.22
Oracle Mysql Server	<=5.7.32
Oracle Mysql Server	>=8.0.15<=8.0.22
Oracle PeopleSoft Enterprise PeopleTools	=8.56
Oracle PeopleSoft Enterprise PeopleTools	=8.57
Oracle PeopleSoft Enterprise PeopleTools	=8.58
Netapp Active Iq Unified Manager Vmware Vsphere
Netapp Active Iq Unified Manager Windows
Netapp Clustered Data Ontap Antivirus Connector
Netapp Data Ontap 7-mode
NetApp E-Series SANtricity OS Controller	>=11.0.0<=11.60.3
Netapp Hci Management Node
Netapp Manageability Software Development Kit
NetApp OnCommand Insight
NetApp OnCommand Workflow Automation
Netapp Plug-in For Symantec Netbackup
Netapp Santricity Smi-s Provider
Netapp Snapcenter
Netapp Solidfire
Netapp Hci Compute Node
Netapp Hci Storage Node
Netapp Ef600a Firmware
Netapp Ef600a
Netapp Aff A250 Firmware
Netapp Aff A250
Tenable Log Correlation Engine	<6.0.9
Tenable Nessus Network Monitor	<5.13.1
Siemens Sinec Infrastructure Network Services	<1.0.1.1
Nodejs Node.js	>=10.0.0<=10.12.0
Nodejs Node.js	>=10.13.0<10.23.1
Nodejs Node.js	>=12.0.0<=12.12.0
Nodejs Node.js	>=12.13.0<12.20.1
Nodejs Node.js	>=14.0.0<=14.14.0
Nodejs Node.js	>=14.15.0<14.15.4
Nodejs Node.js	>=15.0.0<15.5.0

Remedy

Applications not using the GENERAL_NAME_cmp of openssl are not vulnerable to this flaw. Even when this function is used, if the attacker can control both the arguments of this function, only then the attacker could trigger a crash.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/redhat-cve
agent/type
agent/first-publish-date
agent/author
agent/severity
agent/remedy
agent/event
agent/references
agent/weakness
agent/description
collector/ibm-support
source/IBM
agent/software-canonical-lookup
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2020-1971
agent/last-modified-date
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/redhat
vendor/ibm
canonical/ibm cognos analytics
version/ibm cognos analytics/12.0.0-12.0.1
version/ibm cognos analytics/11.2.0-11.2.4 fp2
version/ibm cognos analytics/11.1.1-11.1.7 fp7
vendor/openssl
canonical/openssl openssl
version/openssl openssl/1.0.2
version/openssl openssl/1.1.1
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
version/debian debian linux/10.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/32
version/fedoraproject fedora/33
vendor/oracle
canonical/oracle api gateway
version/oracle api gateway/11.1.2.4.0
canonical/oracle business intelligence
version/oracle business intelligence/5.5.0.0.0
version/oracle business intelligence/5.9.0.0.0
version/oracle business intelligence/12.2.1.3.0
version/oracle business intelligence/12.2.1.4.0
canonical/oracle communications cloud native core network function cloud native environment
version/oracle communications cloud native core network function cloud native environment/1.10.0
canonical/oracle communications diameter intelligence hub
version/oracle communications diameter intelligence hub/8.0.0
version/oracle communications diameter intelligence hub/8.1.0
version/oracle communications diameter intelligence hub/8.2.0
version/oracle communications diameter intelligence hub/8.2.3
canonical/oracle communications session border controller
version/oracle communications session border controller/cz8.2
version/oracle communications session border controller/cz8.3
version/oracle communications session border controller/cz8.4
canonical/oracle communications session router
version/oracle communications session router/cz8.2
version/oracle communications session router/cz8.3
version/oracle communications session router/cz8.4
canonical/oracle communications subscriber-aware load balancer
version/oracle communications subscriber-aware load balancer/cz8.2
version/oracle communications subscriber-aware load balancer/cz8.3
version/oracle communications subscriber-aware load balancer/cz8.4
canonical/oracle communications unified session manager
version/oracle communications unified session manager/scz8.2.5
canonical/oracle enterprise communications broker
version/oracle enterprise communications broker/pcz3.1
version/oracle enterprise communications broker/pcz3.2
version/oracle enterprise communications broker/pcz3.3
canonical/oracle enterprise manager base platform
version/oracle enterprise manager base platform/13.3.0.0
version/oracle enterprise manager base platform/13.4.0.0
canonical/oracle enterprise manager for storage management
version/oracle enterprise manager for storage management/13.4.0.0
canonical/oracle enterprise manager ops center
version/oracle enterprise manager ops center/12.4.0.0
canonical/oracle enterprise session border controller
version/oracle enterprise session border controller/cz8.2
version/oracle enterprise session border controller/cz8.3
version/oracle enterprise session border controller/cz8.4
canonical/oracle essbase
version/oracle essbase/21.2
canonical/oracle graalvm
version/oracle graalvm/19.3.4
version/oracle graalvm/20.3.0
canonical/oracle http server
version/oracle http server/12.2.1.4.0
canonical/oracle jd edwards enterpriseone tools
canonical/oracle jd edwards world security
version/oracle jd edwards world security/a9.4
canonical/oracle mysql
version/oracle mysql/8.0.22
canonical/oracle mysql server
version/oracle mysql server/5.7.32
version/oracle mysql server/8.0.15
version/oracle mysql server/8.0.22
canonical/oracle peoplesoft enterprise peopletools
version/oracle peoplesoft enterprise peopletools/8.56
version/oracle peoplesoft enterprise peopletools/8.57
version/oracle peoplesoft enterprise peopletools/8.58
vendor/netapp
canonical/netapp active iq unified manager vmware vsphere
canonical/netapp active iq unified manager windows
canonical/netapp clustered data ontap antivirus connector
canonical/netapp data ontap 7-mode
canonical/netapp e-series santricity os controller
version/netapp e-series santricity os controller/11.0.0
version/netapp e-series santricity os controller/11.60.3
canonical/netapp hci management node
canonical/netapp manageability software development kit
canonical/netapp oncommand insight
canonical/netapp oncommand workflow automation
canonical/netapp plug-in for symantec netbackup
canonical/netapp santricity smi-s provider
canonical/netapp snapcenter
canonical/netapp solidfire
canonical/netapp hci compute node
canonical/netapp hci storage node
canonical/netapp ef600a firmware
canonical/netapp ef600a
canonical/netapp aff a250 firmware
canonical/netapp aff a250
vendor/tenable
canonical/tenable log correlation engine
canonical/tenable nessus network monitor
vendor/siemens
canonical/siemens sinec infrastructure network services
vendor/nodejs
canonical/nodejs node.js
version/nodejs node.js/10.0.0
version/nodejs node.js/10.12.0
version/nodejs node.js/10.13.0
version/nodejs node.js/12.0.0
version/nodejs node.js/12.12.0
version/nodejs node.js/12.13.0
version/nodejs node.js/14.0.0
version/nodejs node.js/14.14.0
version/nodejs node.js/14.15.0
version/nodejs node.js/15.0.0

CVE-2020-1971: Null Pointer Dereference

Remedy

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact