Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Las llamadas a EVP_CipherUpdate, EVP_EncryptUpdate y EVP_DecryptUpdate, pueden desbordar el argumento de la longitud de salida en algunos casos en los que la longitud de entrada está cerca de la longitud máxima permitida para un entero en la plataforma. En tales casos, el valor de retorno de la llamada a la función será 1 (indicando success), pero el valor de la longitud de salida será negativo. Esto podría causar que las aplicaciones se comporten de forma incorrecta o se bloqueen. Las versiones de OpenSSL 1.1.1i e inferiores están afectadas por este problema. Los usuarios de estas versiones deberían actualizar a OpenSSL versión 1.1.1j. Las versiones de OpenSSL 1.0.2x e inferiores están afectadas por este problema. Sin embargo, OpenSSL versión 1.0.2 está fuera de soporte y ya no recibe actualizaciones públicas. Los clientes con soporte Premium de OpenSSL versión 1.0.2 deben actualizar a la versión 1.0.2y. Los demás usuarios deben actualizar a la versión 1.1.1j. Corregido en OpenSSL versión 1.1.1j (Afectó versiones 1.1.1-1.1.1i). Corregido en OpenSSL versión 1.0.2y (Afectó versiones 1.0.2-1.0.2x)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
AV:N/AC:L/Au:N/C:N/I:N/A:P
| Access Vector | NETWORK |
|---|---|
| Access Complexity | LOW |
| Authentication | NONE |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | PARTIAL |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-190
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary |
en
CWE-190
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| openssl | openssl | * | <built-in method update of dict object at 0x72a9b0c9b880> | Application |
| openssl | openssl | * | <built-in method update of dict object at 0x72a9cc7ecdc0> | Application |
| debian | debian_linux | 10.0 | <built-in method update of dict object at 0x72a9cd07b800> | Operating System |
| tenable | log_correlation_engine | * | <built-in method update of dict object at 0x72a9cc5c0cc0> | Application |
| tenable | nessus_network_monitor | 5.11.0 | <built-in method update of dict object at 0x72a9b0c980c0> | Application |
| tenable | nessus_network_monitor | 5.11.1 | <built-in method update of dict object at 0x72a9b0c9b6c0> | Application |
| tenable | nessus_network_monitor | 5.12.0 | <built-in method update of dict object at 0x72a9cc5c1380> | Application |
| tenable | nessus_network_monitor | 5.12.1 | <built-in method update of dict object at 0x72a9b0c99100> | Application |
| tenable | nessus_network_monitor | 5.13.0 | <built-in method update of dict object at 0x72a9cc7ef680> | Application |
| oracle | business_intelligence | 5.5.0.0.0 | <built-in method update of dict object at 0x72a9b0c99ac0> | Application |
| oracle | business_intelligence | 5.9.0.0.0 | <built-in method update of dict object at 0x72a9b0c9bac0> | Application |
| oracle | business_intelligence | 12.2.1.3.0 | <built-in method update of dict object at 0x72a9b0c9b580> | Application |
| oracle | business_intelligence | 12.2.1.4.0 | <built-in method update of dict object at 0x72a9cd07ae00> | Application |
| oracle | communications_cloud_native_core_policy | 1.15.0 | <built-in method update of dict object at 0x72a9cc575900> | Application |
| oracle | enterprise_manager_for_storage_management | 13.4.0.0 | <built-in method update of dict object at 0x72a9b0c9bb00> | Application |
| oracle | enterprise_manager_ops_center | 12.4.0.0 | <built-in method update of dict object at 0x72a9cc575b40> | Application |
| oracle | graalvm | 19.3.5 | <built-in method update of dict object at 0x72a9b0c9b980> | Application |
| oracle | graalvm | 20.3.1.2 | <built-in method update of dict object at 0x72a9cc5769c0> | Application |
| oracle | graalvm | 21.0.0.2 | <built-in method update of dict object at 0x72a9cc41fec0> | Application |
| oracle | jd_edwards_enterpriseone_tools | * | <built-in method update of dict object at 0x72a9cc5c1000> | Application |
| oracle | jd_edwards_world_security | a9.4 | <built-in method update of dict object at 0x72a9cd07bbc0> | Application |
| oracle | mysql_server | * | <built-in method update of dict object at 0x72a9cc5c08c0> | Application |
| oracle | mysql_server | * | <built-in method update of dict object at 0x72a9cd0c2780> | Application |
| oracle | nosql_database | * | <built-in method update of dict object at 0x72a9cd07a0c0> | Application |
| mcafee | epolicy_orchestrator | * | <built-in method update of dict object at 0x72a9cc41e980> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9cd0c3140> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9cd07b900> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9b0c99000> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9cd0c3280> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9cd0c1b40> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9cd0c2800> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9cc833f00> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9cc833b40> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9b0c98b40> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9b0c9a200> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9b0c989c0> | Application |
| fujitsu | m10-1_firmware | * | <built-in method update of dict object at 0x72a9b0c99500> | Operating System |
| fujitsu | m10-4_firmware | * | <built-in method update of dict object at 0x72a9b0c9bc40> | Operating System |
| fujitsu | m10-4s_firmware | * | <built-in method update of dict object at 0x72a9b0c98d80> | Operating System |
| fujitsu | m12-1_firmware | * | <built-in method update of dict object at 0x72a9b0c99ec0> | Operating System |
| fujitsu | m12-2_firmware | * | <built-in method update of dict object at 0x72a9b0c98c40> | Operating System |
| fujitsu | m12-2s_firmware | * | <built-in method update of dict object at 0x72a9b0c9ab00> | Operating System |
| fujitsu | m10-1_firmware | * | <built-in method update of dict object at 0x72a9b0db69c0> | Operating System |
| fujitsu | m10-4_firmware | * | <built-in method update of dict object at 0x72a9cc60ea80> | Operating System |
| fujitsu | m10-4s_firmware | * | <built-in method update of dict object at 0x72a9b0db4e80> | Operating System |
| fujitsu | m12-1_firmware | * | <built-in method update of dict object at 0x72a9b0c98bc0> | Operating System |
| fujitsu | m12-2_firmware | * | <built-in method update of dict object at 0x72a9b0db5f80> | Operating System |
| fujitsu | m12-2s_firmware | * | <built-in method update of dict object at 0x72a9b0db7340> | Operating System |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a9b0db65c0> | Application |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a9b0db7f80> | Application |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a9cc60c780> | Application |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a9b0db6600> | Application |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a9b0db7600> | Application |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a9b0db6d80> | Application |
| nodejs | node.js | 14.15.0 | <built-in method update of dict object at 0x72a9cc60e2c0> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:14.15.0:*:*:*:lts:*:*:* |