CVE-2021-23840

Integer overflow in CipherUpdate

Description

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.53%
Vendor Advisory debian.org Vendor Advisory gentoo.org Vendor Advisory openssl.org
Affected: OpenSSL OpenSSL
Published at:
Updated at:

References

Link Tags
https://www.openssl.org/news/secadv/20210216.txt vendor advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
https://www.debian.org/security/2021/dsa-4855 third party advisory vendor advisory
https://security.gentoo.org/glsa/202103-03 third party advisory vendor advisory
https://www.oracle.com/security-alerts/cpuApr2021.html third party advisory patch
https://www.tenable.com/security/tns-2021-10 third party advisory
https://www.tenable.com/security/tns-2021-09 third party advisory
https://security.netapp.com/advisory/ntap-20210219-0009/ third party advisory
https://www.tenable.com/security/tns-2021-03 third party advisory
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E mailing list
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E mailing list
https://www.oracle.com//security-alerts/cpujul2021.html third party advisory patch
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846 third party advisory
https://www.oracle.com/security-alerts/cpuoct2021.html third party advisory patch
https://kc.mcafee.com/corporate/index?page=content&id=SB10366 third party advisory
https://www.oracle.com/security-alerts/cpujan2022.html third party advisory patch
https://www.oracle.com/security-alerts/cpuapr2022.html third party advisory patch
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf third party advisory
https://security.netapp.com/advisory/ntap-20240621-0006/

Frequently Asked Questions

What is the severity of CVE-2021-23840?
CVE-2021-23840 has been scored as a high severity vulnerability.
How to fix CVE-2021-23840?
To fix CVE-2021-23840, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-23840 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-23840 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-23840?
CVE-2021-23840 affects OpenSSL OpenSSL.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.