Amazon Linux AMI 2: CVE-2021-23840: Security patch for openssl (ALAS-2021-1608)
Severity:
CVSS:
Published:
Created:
Added:
Modified:
Description:
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).'
Solution(s)
- amazon-linux-ami-2-upgrade-openssl
- amazon-linux-ami-2-upgrade-openssl-debuginfo
- amazon-linux-ami-2-upgrade-openssl-devel
- amazon-linux-ami-2-upgrade-openssl-libs
- amazon-linux-ami-2-upgrade-openssl-perl
- amazon-linux-ami-2-upgrade-openssl-static
Reference(s)
- CVE-2021-21153
- CVE-2021-21152
- CVE-2021-21151
- CVE-2021-21150
- CVE-2021-23841
- https://attackerkb.com/topics/cve-2021-23841
- CVE - 2021-23841
- DLA-2563-1
- DSA-4855
- DSA-4855-1
- CVE-2021-21149
- CVE-2021-23840
- https://attackerkb.com/topics/cve-2021-23840
- CVE - 2021-23840
- DSA-4855
- https://www.openssl.org/news/secadv/20210216.txt
- USN-4738-1
- CVE-2021-23841
- USN-4738-1
- CVE-2021-23840
- https://attackerkb.com/topics/cve-2021-23840
- AL2/ALAS-2021-1608
- CVE - 2021-23840
- DSA-4855
OTHER SERVICES
Consulting Services
We help your team successfully protect your company within your budget.
LEARN MOREApplication Security Services
Achieve more-secure applications, compliant environments, and safer systems development with streamlined and repeatable processes.
LEARN MOREData Security Services
Protectyour critical data across multiple environments, meet privacy regulations and simplify operational complexity.
LEARN MORECloud Security Testing Services
Identify cloud vulnerabilities that tools alone cannot find.
LEARN MORESecurity Risk Services
Secure your operations and respond to threats with accuracy and speed.
LEARN MORECloud Security Monitoring Services
Real-time threat detection across your cloud deployments.
LEARN MORE