CVE-2021-22901: Use After Free
First published: Fri May 21 2021(Updated: )
A use-after-free flaw was found in the way curl handled TLS session data. The curl versions using the OpenSSL library as their TLS backend could use freed memory after TLS session renegotiation was performed by the OpenSSL library. A malicious TLS server could use this flaw to crash or, possibly, execute arbitrary code with the privileges of a client application using the curl library.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24 | <0:1-18.el8 | 0:1-18.el8 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-105.el8 | 0:1.6.3-105.el8 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.el8 | 0:1.6.1-82.el8 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-40.el8 | 0:1.0.6-40.el8 |
| redhat/jbcs-httpd24-curl | <0:7.77.0-2.el8 | 0:7.77.0-2.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-74.el8 | 0:2.4.37-74.el8 |
| redhat/jbcs-httpd24-jansson | <0:2.11-55.el8 | 0:2.11-55.el8 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-37.el8 | 0:1.39.2-37.el8 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-6.el8 | 1:1.1.1g-6.el8 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-5.el8 | 0:1.0.0-5.el8 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-20.el8 | 0:0.4.10-20.el8 |
| redhat/jbcs-httpd24 | <0:1-18.jbcs.el7 | 0:1-18.jbcs.el7 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-105.jbcs.el7 | 0:1.6.3-105.jbcs.el7 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.jbcs.el7 | 0:1.6.1-82.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.77.0-2.jbcs.el7 | 0:7.77.0-2.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-74.jbcs.el7 | 0:2.4.37-74.jbcs.el7 |
| redhat/jbcs-httpd24-jansson | <0:2.11-55.jbcs.el7 | 0:2.11-55.jbcs.el7 |
| redhat/curl | <7.77.0 | 7.77.0 |
| Curl | >=7.75.0<=7.76.1 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.11.0 | |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.15.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.15.1 | |
| Oracle Communications Cloud Native Core Network Slice Selection Function | =1.8.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.15.0 | |
| Oracle Hyperion Essbase | <11.1.2.4.047 | |
| Oracle Hyperion Essbase | >=21.0<21.3 | |
| Oracle MySQL | <=5.7.34 | |
| Oracle MySQL | >=8.0.0<=8.0.25 | |
| NetApp Active IQ Unified Manager | ||
| NetApp Active IQ Unified Manager | ||
| NetApp Cloud Backup | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp SnapCenter | ||
| NetApp SolidFire Enterprise SDS | ||
| NetApp SolidFire & HCI Management Node | ||
| NetApp SolidFire Baseboard Management Controller Firmware | ||
| NetApp HCI Compute Node Firmware | ||
| NetApp HCI Compute Node | ||
| NetApp H300E | ||
| NetApp H300E Firmware | ||
| NetApp H300S Firmware | ||
| NetApp H300S Firmware | ||
| NetApp H410S | ||
| NetApp H410S Firmware | ||
| NetApp H500E | ||
| NetApp H500e Firmware | ||
| NetApp H500e Firmware | ||
| NetApp H500e Firmware | ||
| NetApp H700E | ||
| NetApp H700E | ||
| NetApp H700S | ||
| NetApp H700S | ||
| Siemens SINEC Infrastructure Network Services | <1.0.1.1 | |
| All of | ||
| NetApp HCI Compute Node Firmware | ||
| NetApp HCI Compute Node | ||
| All of | ||
| NetApp H300E | ||
| NetApp H300E Firmware | ||
| All of | ||
| NetApp H300S Firmware | ||
| NetApp H300S Firmware | ||
| All of | ||
| NetApp H410S | ||
| NetApp H410S Firmware | ||
| All of | ||
| NetApp H500E | ||
| NetApp H500e Firmware | ||
| All of | ||
| NetApp H500e Firmware | ||
| NetApp H500e Firmware | ||
| All of | ||
| NetApp H700E | ||
| NetApp H700E | ||
| All of | ||
| NetApp H700S | ||
| NetApp H700S | ||
| Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
| Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
| Splunk Universal Forwarder | =9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf
- https://curl.se/docs/CVE-2021-22901.html
- https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479
- https://hackerone.com/reports/1180380
- https://security.netapp.com/advisory/ntap-20210723-0001/
- https://security.netapp.com/advisory/ntap-20210727-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://github.com/curl/curl/commit/a304051620b92
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1964815
- https://access.redhat.com/errata/RHSA-2021:2471
- https://access.redhat.com/errata/RHSA-2021:2472
- https://access.redhat.com/security/cve/cve-2021-22901
- https://bugzilla.redhat.com/show_bug.cgi?id=1963146
- https://www.cve.org/CVERecord?id=CVE-2021-22901 https://nvd.nist.gov/vuln/detail/CVE-2021-22901 https://curl.se/docs/CVE-2021-22901.html
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-22901.
What is the severity of CVE-2021-22901?
The severity of CVE-2021-22901 is high.
What is the affected software?
The affected software includes curl versions 7.75.0 through 7.76.1 and other related packages.
How can this vulnerability be exploited?
This vulnerability can be exploited by a malicious server sending a TLS 1.3 session ticket, potentially leading to remote code execution.
Is there a fix available for CVE-2021-22901?
Yes, the remedy for CVE-2021-22901 is to upgrade to version 7.77.0 of curl.
- collector/redhat-cve
- agent/type
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22901
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/last-modified-date
- agent/author
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- package-manager/redhat
- vendor/haxx
- canonical/curl
- version/curl/7.75.0
- version/curl/7.76.1
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.11.0
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/1.10.0
- canonical/oracle communications cloud native core network repository function
- version/oracle communications cloud native core network repository function/1.15.0
- version/oracle communications cloud native core network repository function/1.15.1
- canonical/oracle communications cloud native core network slice selection function
- version/oracle communications cloud native core network slice selection function/1.8.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.15.0
- canonical/oracle hyperion essbase
- version/oracle hyperion essbase/21.0
- canonical/oracle mysql
- version/oracle mysql/5.7.34
- version/oracle mysql/8.0.0
- version/oracle mysql/8.0.25
- vendor/netapp
- canonical/netapp active iq unified manager
- canonical/netapp cloud backup
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/netapp snapcenter
- canonical/netapp solidfire enterprise sds
- canonical/netapp solidfire & hci management node
- canonical/netapp solidfire baseboard management controller firmware
- canonical/netapp hci compute node firmware
- canonical/netapp hci compute node
- canonical/netapp h300e
- canonical/netapp h300e firmware
- canonical/netapp h300s firmware
- canonical/netapp h410s
- canonical/netapp h410s firmware
- canonical/netapp h500e
- canonical/netapp h500e firmware
- canonical/netapp h700e
- canonical/netapp h700s
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/splunk
- canonical/splunk universal forwarder
- version/splunk universal forwarder/8.2.0
- version/splunk universal forwarder/9.0.0
- version/splunk universal forwarder/9.1.0