CVE-2021-45079: Null Pointer Dereference
First published: Mon Jan 31 2022(Updated: )
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Strongswan Strongswan | >=4.1.2<5.9.5 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Extra Packages For Enterprise Linux | =7.0 | |
| Fedoraproject Extra Packages For Enterprise Linux | =8.0 | |
| Fedoraproject Extra Packages For Enterprise Linux | =9.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| Canonical Ubuntu Linux | =21.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-45079?
CVE-2021-45079 is a vulnerability in strongSwan that allows a malicious responder to send an EAP-Success message too early without authenticating the client and without server authentication.
How severe is CVE-2021-45079?
CVE-2021-45079 has a severity rating of 9.1 (Critical).
Which software versions are affected by the CVE-2021-45079 vulnerability?
strongSwan versions before 5.9.5 are affected, as well as Debian Linux 9.0, 10.0, and 11.0, Fedora Extra Packages for Enterprise Linux 7.0, 8.0, and 9.0, and Fedora Linux 34 and 35. Also, Canonical Ubuntu Linux 14.04, 16.04, 18.04, 20.04, and 21.10 are affected.
How can the CVE-2021-45079 vulnerability be fixed?
To fix the CVE-2021-45079 vulnerability, update strongSwan to version 5.9.5 or later. Additionally, ensure that the operating systems running strongSwan are updated to the latest security patches.
Where can I find more information about the CVE-2021-45079 vulnerability?
More information about the CVE-2021-45079 vulnerability can be found on the official strongSwan website at https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html.
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/type
- agent/tags
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/strongswan
- canonical/strongswan strongswan
- version/strongswan strongswan/4.1.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject extra packages for enterprise linux
- version/fedoraproject extra packages for enterprise linux/7.0
- version/fedoraproject extra packages for enterprise linux/8.0
- version/fedoraproject extra packages for enterprise linux/9.0
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- version/canonical ubuntu linux/21.10