製品・ソフトウェアに関する情報
OpenSSL における整数オーバーフローの脆弱性
Title OpenSSL における整数オーバーフローの脆弱性
Summary

OpenSSL には、入力長がプラットフォーム上の整数の最大許容長に近い場合、EVP_CipherUpdate、EVP_EncryptUpdate、EVP_DecryptUpdate の呼び出しに不備があるため、整数オーバーフローの脆弱性が存在します。

Possible impacts アプリケーションが不正な動作をされる、またはクラッシュされる可能性があります。
Solution

ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。

Publication Date Feb. 16, 2021, midnight
Registration Date Nov. 30, 2021, 9:23 a.m.
Last Update July 20, 2023, 3:25 p.m.
CVSS3.0 : 重要
Score 7.5
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS2.0 : 警告
Score 5
Vector AV:N/AC:L/Au:N/C:N/I:N/A:P
Affected System
オラクル
MySQL 
Oracle Enterprise Manager Ops Center 
Oracle GraalVM 
Oracle NoSQL Database 
OpenSSL Project
OpenSSL 1.0.2 から 1.0.2x
OpenSSL 1.1.1 から 1.1.1i
日立
Hitachi Device Manager 
Hitachi Ops Center Analyzer viewpoint (海外販売のみ)
Hitachi Ops Center Common Services (海外販売のみ)
Hitachi Tuning Manager 
uCosminexus Application Server 
uCosminexus Application Server(64) 
uCosminexus Application Server-R 
uCosminexus Developer 
uCosminexus Primary Server Base 
uCosminexus Primary Server Base(64) 
uCosminexus Service Architect 
uCosminexus Service Platform 
uCosminexus Service Platform(64) 
Debian
Debian GNU/Linux 
Tenable, Inc.
Log Correlation Engine 
Nessus Network Monitor 
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
その他
Change Log
No Changed Details Date of change
3 [2022年05月12日]
  ベンダ情報:三菱電機 (MELSOFT GT OPC UA Client における OpenSSL の脆弱性に起因する情報漏えい及びサービス拒否(DoS)の脆弱性) を追加
May 12, 2022, 9:40 a.m.
1 [2021年11月30日]
  掲載
Nov. 30, 2021, 9:23 a.m.
2 [2021年12月07日]
 参考情報:JVN (JVNVU#90348129) を追加
 参考情報:ICS-CERT ADVISORY (ICSA-21-336-06) を追加
Dec. 7, 2021, 1:41 p.m.
4 [2023年07月20日]
  影響を受けるシステム:ベンダ情報の追加に伴い内容を更新
  ベンダ情報:日立 (hitachi-sec-2023-126) を追加
July 20, 2023, 9:59 a.m.

NVD Vulnerability Information
CVE-2021-23840
Summary

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Publication Date Feb. 17, 2021, 2:15 a.m.
Registration Date Feb. 17, 2021, 10:02 a.m.
Last Update Nov. 21, 2024, 2:51 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 1.0.2 1.0.2y
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 1.1.1 1.1.1j
Configuration2 or higher or less more than less than
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Configuration3 or higher or less more than less than
cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* 6.0.8
Configuration4 or higher or less more than less than
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* 8.0.15 8.0.23
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* 5.7.33
cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:* 20.3
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* 9.2.6.0
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
Configuration5 or higher or less more than less than
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:* 5.10.0
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*
Configuration6 or higher or less more than less than
cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:* xcp2410
execution environment
1 cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*
Configuration7 or higher or less more than less than
cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:* xcp2410
execution environment
1 cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*
Configuration8 or higher or less more than less than
cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:* xcp2410
execution environment
1 cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*
Configuration9 or higher or less more than less than
cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:* xcp2410
execution environment
1 cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*
Configuration10 or higher or less more than less than
cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:* xcp2410
execution environment
1 cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*
Configuration11 or higher or less more than less than
cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:* xcp2410
execution environment
1 cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*
Configuration12 or higher or less more than less than
cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:* xcp3110
execution environment
1 cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*
Configuration13 or higher or less more than less than
cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:* xcp3110
execution environment
1 cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*
Configuration14 or higher or less more than less than
cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:* xcp3110
execution environment
1 cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*
Configuration15 or higher or less more than less than
cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:* xcp3110
execution environment
1 cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*
Configuration16 or higher or less more than less than
cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:* xcp3110
execution environment
1 cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*
Configuration17 or higher or less more than less than
cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:* xcp3110
execution environment
1 cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*
Configuration18 or higher or less more than less than
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* 15.0.0 15.10.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* 14.0.0 14.14.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* 10.0.0 10.12.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* 12.0.0 12.12.0
cpe:2.3:a:nodejs:node.js:14.15.0:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* 12.13.0 12.21.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* 10.13.0 10.24.0
Related information, measures and tools
Common Vulnerabilities List