CVE-2021-23839
First published: Tue Feb 16 2021(Updated: )
OpenSSL could provide weaker than expected security, caused by incorrect SSLv2 rollback protection that allows for the inversion of the logic during a padding check. If the server is configured for SSLv2 support at compile time, configured for SSLv2 support at runtime or configured for SSLv2 ciphersuites, it will accept a connection if a version rollback attack has occurred and erroneously reject a connection if a normal SSLv2 connection attempt is made.
Credit: openssl-security@openssl.org openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL OpenSSL | >=1.0.2s<=1.0.2x | |
| Oracle Business Intelligence | =5.5.0.0.0 | |
| Oracle Business Intelligence | =5.9.0.0.0 | |
| Oracle Business Intelligence | =12.2.1.3.0 | |
| Oracle Business Intelligence | =12.2.1.4.0 | |
| Oracle Enterprise Manager For Storage Management | =13.4.0.0 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle GraalVM | =19.3.5 | |
| Oracle GraalVM | =20.3.1.2 | |
| Oracle GraalVM | =21.0.0.2 | |
| Oracle Jd Edwards World Security | =a9.4 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| Siemens Sinec Ins | <1.0 | |
| Siemens Sinec Ins | =1.0 | |
| Siemens Sinec Ins | =1.0-sp1 | |
| redhat/openssl | <1.1.1 | 1.1.1 |
| redhat/openssl | <1.0.2 | 1.0.2 |
| IBM Cognos Analytics | <=12.0.0-12.0.1 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
| IBM Cognos Analytics | <=11.1.1-11.1.7 FP7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-23839 https://nvd.nist.gov/vuln/detail/CVE-2021-23839
- https://bugzilla.redhat.com/show_bug.cgi?id=1930294
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/security/cve/cve-2021-23839
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30919ab80a478f2d81f2e9acdcca3fa4740cd547
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
- https://security.netapp.com/advisory/ntap-20210219-0009/
- https://www.openssl.org/news/secadv/20210216.txt
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930318
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930317
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930314
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930316
- https://github.com/openssl/openssl/commit/901f1ef7dacb6b3bde63233a1f623e1fa2f0f058
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://exchange.xforce.ibmcloud.com/vulnerabilities/196849
- https://www.ibm.com/support/pages/node/7123154 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this OpenSSL vulnerability?
The vulnerability ID for this OpenSSL vulnerability is CVE-2021-23839.
What is the severity of CVE-2021-23839?
The severity of CVE-2021-23839 is medium.
Which software versions are affected by CVE-2021-23839?
Software versions 1.0.2 and 1.1.1 of OpenSSL are affected by CVE-2021-23839.
How can I fix the OpenSSL vulnerability with CVE-2021-23839?
To fix the OpenSSL vulnerability with CVE-2021-23839, update to version 1.1.1 of OpenSSL.
Are there any references for additional information about CVE-2021-23839?
Yes, you can find more information about CVE-2021-23839 at the following references: [Reference 1](https://www.openssl.org/news/secadv/20210216.txt), [Reference 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930318), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930317).
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23839
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/1.0.2s
- version/openssl openssl/1.0.2x
- vendor/oracle
- canonical/oracle business intelligence
- version/oracle business intelligence/5.5.0.0.0
- version/oracle business intelligence/5.9.0.0.0
- version/oracle business intelligence/12.2.1.3.0
- version/oracle business intelligence/12.2.1.4.0
- canonical/oracle enterprise manager for storage management
- version/oracle enterprise manager for storage management/13.4.0.0
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle graalvm
- version/oracle graalvm/19.3.5
- version/oracle graalvm/20.3.1.2
- version/oracle graalvm/21.0.0.2
- canonical/oracle jd edwards world security
- version/oracle jd edwards world security/a9.4
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/siemens
- canonical/siemens sinec ins
- version/siemens sinec ins/1.0
- version/siemens sinec ins/1.0-sp1
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.1
- version/ibm cognos analytics/11.2.0-11.2.4 fp2
- version/ibm cognos analytics/11.1.1-11.1.7 fp7