What is CVE-2021-3711?

CVE-2021-3711 is a vulnerability in Openssl. Published 2021-08-24.

Is CVE-2021-3711 known to be exploited?

24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Openssl

CVE-2021-3711

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit…

EPSS: 0.878 (99.7th percentile) — read the EPSS interpretation.

Affected products

Openssl — versions Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k)

Public proof-of-concept exploits

0xDeCA10B/attackfinder
ARPSyndicate/cvemon
Frannc0/test2
NeXTLinux/griffon
VAN-ALLY/Anchore
Vazimax/Dataset-Generation
akaganeite/CVE4PP
anchore/grype
aymankhder/scanner-for-container
aywengo/httpbin-k8s-deployment

References

www.openssl.org/news/secadv/20210824.txt
git.openssl.org/gitweb/
DSA-4963 (vendor-advisory)
[tomcat-dev] 20210825 OpenSSL security announcement - do we need a Tomcat Native release? (mailing-list)
[oss-security] 20210825 OpenSSL SM2 Decryption Buffer Overflow (CVE-2021-3711), Read buffer overruns processing ASN.1 strings (CVE-2021-3712) (mailing-list)
[tomcat-dev] 20210826 Re: OpenSSL security announcement - do we need a Tomcat Native release? (mailing-list)
security.netapp.com/advisory/ntap-20210827-0010/
www.oracle.com/security-alerts/cpuoct2021.html
www.tenable.com/security/tns-2021-16
www.oracle.com/security-alerts/cpujan2022.html

Frequently asked questions

What is CVE-2021-3711?: CVE-2021-3711 is a vulnerability in Openssl. Published 2021-08-24.
Is CVE-2021-3711 known to be exploited?: 24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.