First published: Thu Aug 19 2021(Updated: )
OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the EVP_PKEY_decrypt() function within implementation of the SM2 decryption. By sending specially crafted SM2 content, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Credit: openssl-security@openssl.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/openssl | 1.1.1n-0+deb10u3 1.1.1n-0+deb10u6 1.1.1w-0+deb11u1 1.1.1n-0+deb11u5 3.0.11-1~deb12u1 3.0.11-1 | |
redhat/openssl | <1.1.1 | 1.1.1 |
IBM Cognos Analytics | <=12.0.0-12.0.1 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
IBM Cognos Analytics | <=11.1.1-11.1.7 FP7 | |
OpenSSL OpenSSL | >=1.1.1<1.1.1l | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Netapp Active Iq Unified Manager Windows | ||
NetApp Clustered Data ONTAP | ||
Netapp Clustered Data Ontap Antivirus Connector | ||
NetApp E-Series SANtricity OS Controller | >=11.0<=11.50.2 | |
Netapp Hci Management Node | ||
Netapp Manageability Software Development Kit | ||
NetApp OnCommand Insight | ||
NetApp OnCommand Workflow Automation | ||
Netapp Santricity Smi-s Provider | ||
Netapp Snapcenter | ||
Netapp Solidfire | ||
Netapp Storage Encryption | ||
Oracle Communications Cloud Native Core Security Edge Protection Proxy | =1.7.0 | |
Oracle Communications Cloud Native Core Unified Data Repository | =1.15.0 | |
Oracle Communications Session Border Controller | =8.4 | |
Oracle Communications Session Border Controller | =9.0 | |
Oracle Communications Unified Session Manager | =8.2.5 | |
Oracle Communications Unified Session Manager | =8.4.5 | |
Oracle Enterprise Communications Broker | =3.2.0 | |
Oracle Enterprise Communications Broker | =3.3.0 | |
Oracle Enterprise Session Border Controller | =8.4 | |
Oracle Enterprise Session Border Controller | =9.0 | |
Oracle Essbase | <11.1.2.4.47 | |
Oracle Essbase | >=21.1<21.3 | |
Oracle Health Sciences Inform Publisher | =6.2.1.1 | |
Oracle Health Sciences Inform Publisher | =6.3.1.1 | |
Oracle Jd Edwards Enterpriseone Tools | <9.2.6.3 | |
Oracle Jd Edwards World Security | =a9.4 | |
Oracle Mysql Connectors | <=8.0.27 | |
Oracle Mysql Enterprise Monitor | <=8.0.25 | |
Oracle Mysql Server | >=5.7.0<=5.7.35 | |
Oracle Mysql Server | >=8.0.0<=8.0.26 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
Oracle ZFS Storage Appliance Kit | =8.8 | |
Tenable Nessus Network Monitor | <=5.13.1 | |
Tenable Tenable.sc | >=5.16.0<=5.19.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this OpenSSL vulnerability is CVE-2021-3711.
CVE-2021-3711 has a severity level of critical.
CVE-2021-3711 affects OpenSSL versions 1.1.1 and earlier, IBM Cognos Analytics 11.2.x, IBM Cognos Analytics 11.1.x, and various other software products.
To fix CVE-2021-3711, upgrade to OpenSSL version 1.1.1n or later.
More information about CVE-2021-3711 can be found in the references: [link1](https://github.com/openssl/openssl/commit/59f5e75f3bced8fc0e130d72a3f582cf7b480b46), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997212), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997210).