CVE-2020-36242: Integer Overflow
First published: Wed Dec 09 2020(Updated: )
A buffer-overflow flaw was found in the python-cryptography package. In certain sequences of ``update()`` calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows. Note: This fix is a workaround for the OpenSSL CVE-2021-23840 flaw. Source: pyca/cryptography project
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/cryptography | >=3.1<3.3.2 | 3.3.2 |
| redhat/python-cryptography | <0:3.2.1-4.el8 | 0:3.2.1-4.el8 |
| redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
| redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
| redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
| redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
| redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
| redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
| redhat/redhat-virtualization-host | <0:4.4.6-20210527.3.el8_4 | 0:4.4.6-20210527.3.el8_4 |
| Cryptography Project Cryptography | <3.3.2 | |
| Fedoraproject Fedora | =33 | |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
| redhat/python-cryptography | <3.3.2 | 3.3.2 |
| Cryptography.io Cryptography Python | <3.3.2 | |
| <3.3.2 | ||
| =33 | ||
| =1.10.0 |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pyca/cryptography/security/advisories/GHSA-rhm9-p9w5-fwm7
- https://nvd.nist.gov/vuln/detail/CVE-2020-36242
- https://github.com/pyca/cryptography/issues/5615
- https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
- https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae
- https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-rhm9-p9w5-fwm7 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2020-36242 https://nvd.nist.gov/vuln/detail/CVE-2020-36242 https://cryptography.io/en/latest/changelog.html#v3-3-2
- https://bugzilla.redhat.com/show_bug.cgi?id=1926226
- https://access.redhat.com/errata/RHSA-2021:1608
- https://access.redhat.com/errata/RHSA-2021:3254
- https://access.redhat.com/errata/RHSA-2021:2239
- https://access.redhat.com/security/cve/cve-2020-36242
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1926227
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1926228
- https://github.com/pyca/cryptography/pull/5748
- https://bodhi.fedoraproject.org/updates/FEDORA-2021-8e36e7ed1a
- https://access.redhat.com/support/policy/updates/cloudforms
- https://cryptography.io/en/latest/changelog.html#v3-3-2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-63.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-36242?
CVE-2020-36242 is a vulnerability in the cryptography package for Python that allows for integer overflow during symmetrical encryption or decryption.
What is the severity of CVE-2020-36242?
The severity of CVE-2020-36242 is critical with a CVSS score of 9.1.
Which software is affected by CVE-2020-36242?
The cryptography package for Python versions up to and including 3.3.2, Oracle Communications Cloud Native Core Network Function Cloud Native Environment version 1.10.0, and Fedora version 33 are affected by CVE-2020-36242.
How can I fix CVE-2020-36242?
To fix CVE-2020-36242, update to version 3.3.2 of the cryptography package for Python.
Where can I find more information about CVE-2020-36242?
You can find more information about CVE-2020-36242 on the CVE website, NIST's vulnerability database, the cryptography package's changelog, the Red Hat bugzilla page, and the Red Hat errata page.
- collector/redhat-cve
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-36242
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/description
- agent/author
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rhm9-p9w5-fwm7
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-cve
- collector/github-advisory
- package-manager/redhat
- vendor/cryptography project
- canonical/cryptography project cryptography
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- vendor/oracle
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/1.10.0
- vendor/cryptography.io
- canonical/cryptography.io cryptography python
- package-manager/pip