CVE-2021-22901: Use After Free
First published: Fri May 21 2021(Updated: )
A use-after-free flaw was found in the way curl handled TLS session data. The curl versions using the OpenSSL library as their TLS backend could use freed memory after TLS session renegotiation was performed by the OpenSSL library. A malicious TLS server could use this flaw to crash or, possibly, execute arbitrary code with the privileges of a client application using the curl library.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24 | <0:1-18.el8 | 0:1-18.el8 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-105.el8 | 0:1.6.3-105.el8 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.el8 | 0:1.6.1-82.el8 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-40.el8 | 0:1.0.6-40.el8 |
| redhat/jbcs-httpd24-curl | <0:7.77.0-2.el8 | 0:7.77.0-2.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-74.el8 | 0:2.4.37-74.el8 |
| redhat/jbcs-httpd24-jansson | <0:2.11-55.el8 | 0:2.11-55.el8 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-37.el8 | 0:1.39.2-37.el8 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-6.el8 | 1:1.1.1g-6.el8 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-5.el8 | 0:1.0.0-5.el8 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-20.el8 | 0:0.4.10-20.el8 |
| redhat/jbcs-httpd24 | <0:1-18.jbcs.el7 | 0:1-18.jbcs.el7 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-105.jbcs.el7 | 0:1.6.3-105.jbcs.el7 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.jbcs.el7 | 0:1.6.1-82.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.77.0-2.jbcs.el7 | 0:7.77.0-2.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-74.jbcs.el7 | 0:2.4.37-74.jbcs.el7 |
| redhat/jbcs-httpd24-jansson | <0:2.11-55.jbcs.el7 | 0:2.11-55.jbcs.el7 |
| redhat/curl | <7.77.0 | 7.77.0 |
| Haxx Curl | >=7.75.0<=7.76.1 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.11.0 | |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.15.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.15.1 | |
| Oracle Communications Cloud Native Core Network Slice Selection Function | =1.8.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.15.0 | |
| Oracle Essbase | <11.1.2.4.047 | |
| Oracle Essbase | >=21.0<21.3 | |
| Oracle Mysql Server | <=5.7.34 | |
| Oracle Mysql Server | >=8.0.0<=8.0.25 | |
| Netapp Active Iq Unified Manager Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| Netapp Cloud Backup | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| Netapp Snapcenter | ||
| Netapp Solidfire\, Enterprise Sds \& Hci Storage Node | ||
| Netapp Solidfire \& Hci Management Node | ||
| Netapp Solidfire Baseboard Management Controller Firmware | ||
| Netapp Hci Compute Node Firmware | ||
| Netapp Hci Compute Node | ||
| Netapp H300e Firmware | ||
| Netapp H300e | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| Netapp H410s Firmware | ||
| Netapp H410s | ||
| Netapp H500e Firmware | ||
| Netapp H500e | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| Netapp H700e Firmware | ||
| Netapp H700e | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| All of | ||
| Netapp Hci Compute Node Firmware | ||
| Netapp Hci Compute Node | ||
| All of | ||
| Netapp H300e Firmware | ||
| Netapp H300e | ||
| All of | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| All of | ||
| Netapp H410s Firmware | ||
| Netapp H410s | ||
| All of | ||
| Netapp H500e Firmware | ||
| Netapp H500e | ||
| All of | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| All of | ||
| Netapp H700e Firmware | ||
| Netapp H700e | ||
| All of | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
| Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
| Splunk Universal Forwarder | =9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf
- https://curl.se/docs/CVE-2021-22901.html
- https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479
- https://hackerone.com/reports/1180380
- https://security.netapp.com/advisory/ntap-20210723-0001/
- https://security.netapp.com/advisory/ntap-20210727-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://github.com/curl/curl/commit/a304051620b92
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1964815
- https://access.redhat.com/errata/RHSA-2021:2471
- https://access.redhat.com/errata/RHSA-2021:2472
- https://access.redhat.com/security/cve/cve-2021-22901
- https://bugzilla.redhat.com/show_bug.cgi?id=1963146
- https://www.cve.org/CVERecord?id=CVE-2021-22901 https://nvd.nist.gov/vuln/detail/CVE-2021-22901 https://curl.se/docs/CVE-2021-22901.html
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-22901.
What is the severity of CVE-2021-22901?
The severity of CVE-2021-22901 is high.
What is the affected software?
The affected software includes curl versions 7.75.0 through 7.76.1 and other related packages.
How can this vulnerability be exploited?
This vulnerability can be exploited by a malicious server sending a TLS 1.3 session ticket, potentially leading to remote code execution.
Is there a fix available for CVE-2021-22901?
Yes, the remedy for CVE-2021-22901 is to upgrade to version 7.77.0 of curl.
- collector/redhat-cve
- agent/type
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22901
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- package-manager/redhat
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/7.75.0
- version/haxx curl/7.76.1
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.11.0
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/1.10.0
- canonical/oracle communications cloud native core network repository function
- version/oracle communications cloud native core network repository function/1.15.0
- version/oracle communications cloud native core network repository function/1.15.1
- canonical/oracle communications cloud native core network slice selection function
- version/oracle communications cloud native core network slice selection function/1.8.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.15.0
- canonical/oracle essbase
- version/oracle essbase/21.0
- canonical/oracle mysql server
- version/oracle mysql server/5.7.34
- version/oracle mysql server/8.0.0
- version/oracle mysql server/8.0.25
- vendor/netapp
- canonical/netapp active iq unified manager vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp cloud backup
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/netapp snapcenter
- canonical/netapp solidfire\, enterprise sds \& hci storage node
- canonical/netapp solidfire \& hci management node
- canonical/netapp solidfire baseboard management controller firmware
- canonical/netapp hci compute node firmware
- canonical/netapp hci compute node
- canonical/netapp h300e firmware
- canonical/netapp h300e
- canonical/netapp h300s firmware
- canonical/netapp h300s
- canonical/netapp h410s firmware
- canonical/netapp h410s
- canonical/netapp h500e firmware
- canonical/netapp h500e
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h700e firmware
- canonical/netapp h700e
- canonical/netapp h700s firmware
- canonical/netapp h700s
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/splunk
- canonical/splunk universal forwarder
- version/splunk universal forwarder/8.2.0
- version/splunk universal forwarder/9.0.0
- version/splunk universal forwarder/9.1.0