Vulnerability in Openssl
CVE-2021-3712
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffe…
EPSS: 0.504 (98.8th percentile) — read the EPSS interpretation.
Affected products
- Openssl — versions Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k), Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y)
Public proof-of-concept exploits
References
- www.openssl.org/news/secadv/20210824.txt
- git.openssl.org/gitweb/
- git.openssl.org/gitweb/
- DSA-4963 (vendor-advisory)
- [tomcat-dev] 20210825 OpenSSL security announcement - do we need a Tomcat Native release? (mailing-list)
- [oss-security] 20210825 OpenSSL SM2 Decryption Buffer Overflow (CVE-2021-3711), Read buffer overruns processing ASN.1 strings (CVE-2021-3712) (mailing-list)
- [tomcat-dev] 20210826 Re: OpenSSL security announcement - do we need a Tomcat Native release? (mailing-list)
- security.netapp.com/advisory/ntap-20210827-0010/
- [debian-lts-announce] 20210926 [SECURITY] [DLA 2766-1] openssl security update (mailing-list)
- [debian-lts-announce] 20210930 [SECURITY] [DLA 2774-1] openssl1.0 security update (mailing-list)
Frequently asked questions
- What is CVE-2021-3712?
- CVE-2021-3712 is a vulnerability in Openssl. Published 2021-08-24.
- Is CVE-2021-3712 known to be exploited?
- 21 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.