UBUNTU-CVE-2021-23841

Source
https://ubuntu.com/security/CVE-2021-23841
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-23841.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-23841
Related
Published
2021-02-16T17:15:00Z
Modified
2021-02-16T17:15:00Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The OpenSSL public API function X509issuerandserialhash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509issuerandserialhash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

References

Affected packages

Ubuntu:Pro:14.04:LTS / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=trusty/esm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1f-1ubuntu2.27+esm2

Affected versions

1.*

1.0.1e-3ubuntu1
1.0.1e-4ubuntu1
1.0.1e-4ubuntu2
1.0.1e-4ubuntu3
1.0.1e-4ubuntu4
1.0.1f-1ubuntu1
1.0.1f-1ubuntu2
1.0.1f-1ubuntu2.1
1.0.1f-1ubuntu2.2
1.0.1f-1ubuntu2.3
1.0.1f-1ubuntu2.4
1.0.1f-1ubuntu2.5
1.0.1f-1ubuntu2.7
1.0.1f-1ubuntu2.8
1.0.1f-1ubuntu2.11
1.0.1f-1ubuntu2.12
1.0.1f-1ubuntu2.15
1.0.1f-1ubuntu2.16
1.0.1f-1ubuntu2.17
1.0.1f-1ubuntu2.18
1.0.1f-1ubuntu2.19
1.0.1f-1ubuntu2.20
1.0.1f-1ubuntu2.21
1.0.1f-1ubuntu2.22
1.0.1f-1ubuntu2.23
1.0.1f-1ubuntu2.24
1.0.1f-1ubuntu2.25
1.0.1f-1ubuntu2.26
1.0.1f-1ubuntu2.27
1.0.1f-1ubuntu2.27+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libcrypto1.0.0-udeb"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libcrypto1.0.0-udeb-dbgsym"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libssl-dev-dbgsym"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libssl1.0.0"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libssl1.0.0-dbg"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libssl1.0.0-dbgsym"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libssl1.0.0-udeb"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "libssl1.0.0-udeb-dbgsym"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "openssl"
        },
        {
            "binary_version": "1.0.1f-1ubuntu2.27+esm2",
            "binary_name": "openssl-dbgsym"
        }
    ]
}

Ubuntu:16.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0~20160408.ffea0a2c-2ubuntu0.2

Affected versions

0~20150106.*

0~20150106.5c2d456b-2

0~20160104.*

0~20160104.c2a892d7-1

0~20160408.*

0~20160408.ffea0a2c-2
0~20160408.ffea0a2c-2ubuntu0.1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0~20160408.ffea0a2c-2ubuntu0.2",
            "binary_name": "ovmf"
        },
        {
            "binary_version": "0~20160408.ffea0a2c-2ubuntu0.2",
            "binary_name": "qemu-efi"
        }
    ]
}

Ubuntu:16.04:LTS / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.2g-1ubuntu4.19

Affected versions

1.*

1.0.2d-0ubuntu1
1.0.2d-0ubuntu2
1.0.2e-1ubuntu1
1.0.2f-2ubuntu1
1.0.2g-1ubuntu2
1.0.2g-1ubuntu3
1.0.2g-1ubuntu4
1.0.2g-1ubuntu4.1
1.0.2g-1ubuntu4.2
1.0.2g-1ubuntu4.4
1.0.2g-1ubuntu4.5
1.0.2g-1ubuntu4.6
1.0.2g-1ubuntu4.8
1.0.2g-1ubuntu4.9
1.0.2g-1ubuntu4.10
1.0.2g-1ubuntu4.11
1.0.2g-1ubuntu4.12
1.0.2g-1ubuntu4.13
1.0.2g-1ubuntu4.14
1.0.2g-1ubuntu4.15
1.0.2g-1ubuntu4.16
1.0.2g-1ubuntu4.17
1.0.2g-1ubuntu4.18

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libcrypto1.0.0-udeb"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libcrypto1.0.0-udeb-dbgsym"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libssl-dev-dbgsym"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libssl1.0.0"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libssl1.0.0-dbg"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libssl1.0.0-dbgsym"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libssl1.0.0-udeb"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "libssl1.0.0-udeb-dbgsym"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "openssl"
        },
        {
            "binary_version": "1.0.2g-1ubuntu4.19",
            "binary_name": "openssl-dbgsym"
        }
    ]
}

Ubuntu:18.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0~20180205.c0d9813c-2ubuntu0.3

Affected versions

0~20170911.*

0~20170911.5dfba97c-1

0~20171010.*

0~20171010.234dbcef-1

0~20171027.*

0~20171027.76fd5a66-1

0~20171205.*

0~20171205.a9212288-1

0~20180105.*

0~20180105.0bc94c74-1

0~20180205.*

0~20180205.c0d9813c-1
0~20180205.c0d9813c-2
0~20180205.c0d9813c-2ubuntu0.1
0~20180205.c0d9813c-2ubuntu0.2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0~20180205.c0d9813c-2ubuntu0.3",
            "binary_name": "ovmf"
        },
        {
            "binary_version": "0~20180205.c0d9813c-2ubuntu0.3",
            "binary_name": "qemu-efi"
        },
        {
            "binary_version": "0~20180205.c0d9813c-2ubuntu0.3",
            "binary_name": "qemu-efi-aarch64"
        },
        {
            "binary_version": "0~20180205.c0d9813c-2ubuntu0.3",
            "binary_name": "qemu-efi-arm"
        }
    ]
}

Ubuntu:18.04:LTS / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1-1ubuntu2.1~18.04.8

Affected versions

1.*

1.0.2g-1ubuntu13
1.0.2g-1ubuntu14
1.0.2n-1ubuntu1
1.1.0g-2ubuntu1
1.1.0g-2ubuntu2
1.1.0g-2ubuntu3
1.1.0g-2ubuntu4
1.1.0g-2ubuntu4.1
1.1.0g-2ubuntu4.3
1.1.1-1ubuntu2.1~18.04.1
1.1.1-1ubuntu2.1~18.04.2
1.1.1-1ubuntu2.1~18.04.3
1.1.1-1ubuntu2.1~18.04.4
1.1.1-1ubuntu2.1~18.04.5
1.1.1-1ubuntu2.1~18.04.6
1.1.1-1ubuntu2.1~18.04.7

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.1.1-1ubuntu2.1~18.04.8",
            "binary_name": "libcrypto1.1-udeb"
        },
        {
            "binary_version": "1.1.1-1ubuntu2.1~18.04.8",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "1.1.1-1ubuntu2.1~18.04.8",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "1.1.1-1ubuntu2.1~18.04.8",
            "binary_name": "libssl1.1"
        },
        {
            "binary_version": "1.1.1-1ubuntu2.1~18.04.8",
            "binary_name": "libssl1.1-dbgsym"
        },
        {
            "binary_version": "1.1.1-1ubuntu2.1~18.04.8",
            "binary_name": "libssl1.1-udeb"
        },
        {
            "binary_version": "1.1.1-1ubuntu2.1~18.04.8",
            "binary_name": "openssl"
        },
        {
            "binary_version": "1.1.1-1ubuntu2.1~18.04.8",
            "binary_name": "openssl-dbgsym"
        }
    ]
}

Ubuntu:18.04:LTS / openssl1.0

Package

Name
openssl1.0
Purl
pkg:deb/ubuntu/openssl1.0?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.2n-1ubuntu5.6

Affected versions

1.*

1.0.2n-1ubuntu2
1.0.2n-1ubuntu3
1.0.2n-1ubuntu4
1.0.2n-1ubuntu5
1.0.2n-1ubuntu5.1
1.0.2n-1ubuntu5.2
1.0.2n-1ubuntu5.3
1.0.2n-1ubuntu5.4
1.0.2n-1ubuntu5.5

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.0.2n-1ubuntu5.6",
            "binary_name": "libcrypto1.0.0-udeb"
        },
        {
            "binary_version": "1.0.2n-1ubuntu5.6",
            "binary_name": "libssl1.0-dev"
        },
        {
            "binary_version": "1.0.2n-1ubuntu5.6",
            "binary_name": "libssl1.0.0"
        },
        {
            "binary_version": "1.0.2n-1ubuntu5.6",
            "binary_name": "libssl1.0.0-dbgsym"
        },
        {
            "binary_version": "1.0.2n-1ubuntu5.6",
            "binary_name": "libssl1.0.0-udeb"
        },
        {
            "binary_version": "1.0.2n-1ubuntu5.6",
            "binary_name": "openssl1.0"
        },
        {
            "binary_version": "1.0.2n-1ubuntu5.6",
            "binary_name": "openssl1.0-dbgsym"
        }
    ]
}

Ubuntu:20.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0~20191122.bd85bf54-2ubuntu3.1

Affected versions

0~20190606.*

0~20190606.20d2e5a1-2ubuntu1

0~20190828.*

0~20190828.37eef910-3
0~20190828.37eef910-4

0~20191122.*

0~20191122.bd85bf54-1
0~20191122.bd85bf54-1ubuntu1
0~20191122.bd85bf54-2
0~20191122.bd85bf54-2ubuntu1
0~20191122.bd85bf54-2ubuntu2
0~20191122.bd85bf54-2ubuntu3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0~20191122.bd85bf54-2ubuntu3.1",
            "binary_name": "ovmf"
        },
        {
            "binary_version": "0~20191122.bd85bf54-2ubuntu3.1",
            "binary_name": "qemu-efi"
        },
        {
            "binary_version": "0~20191122.bd85bf54-2ubuntu3.1",
            "binary_name": "qemu-efi-aarch64"
        },
        {
            "binary_version": "0~20191122.bd85bf54-2ubuntu3.1",
            "binary_name": "qemu-efi-arm"
        }
    ]
}

Ubuntu:20.04:LTS / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1f-1ubuntu2.2

Affected versions

1.*

1.1.1c-1ubuntu4
1.1.1d-2ubuntu3
1.1.1d-2ubuntu6
1.1.1f-1ubuntu1
1.1.1f-1ubuntu2
1.1.1f-1ubuntu2.1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.1.1f-1ubuntu2.2",
            "binary_name": "libcrypto1.1-udeb"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.2",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.2",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.2",
            "binary_name": "libssl1.1"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.2",
            "binary_name": "libssl1.1-dbgsym"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.2",
            "binary_name": "libssl1.1-udeb"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.2",
            "binary_name": "openssl"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.2",
            "binary_name": "openssl-dbgsym"
        }
    ]
}