CVE-2021-23840

Calls to EVPCipherUpdate, EVPEncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

References

Affected packages

Git

github.com/graalvm/graalvm-ce-builds

Affected ranges

Type: GIT
Repo: https://github.com/graalvm/graalvm-ce-builds
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fab0396eab86e8236899c69d3a56baad00e5af14

Affected versions

vm-19.*

vm-19.3.2

vm-19.3.2-pre

vm-19.3.3

vm-19.3.4

vm-20.*

vm-20.0.1

vm-20.1.0

vm-20.2.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23840.json"

github.com/mysql/mysql-server

Affected ranges

Type: GIT
Repo: https://github.com/mysql/mysql-server
Events: Introduced

ca94b993454c86be248fbe180db94647488114e9

Fixed

7ed30a748964c009d4909cb8b4b22036ebdef239

Fixed

e5d189ecb9465f4be6235109dd3dbcaab01ddc53

Affected versions

mysql-5.*

mysql-5.5.63

mysql-5.6.43

mysql-5.6.45

mysql-5.6.46

mysql-5.6.47

mysql-5.6.48

mysql-5.6.49

mysql-5.6.50

mysql-5.7.25

mysql-5.7.26

mysql-5.7.27

mysql-5.7.28

mysql-5.7.29

mysql-5.7.30

mysql-5.7.31

mysql-5.7.32

mysql-8.*

mysql-8.0.15

mysql-8.0.16

mysql-8.0.17

mysql-8.0.18

mysql-8.0.19

mysql-8.0.20

mysql-8.0.21

mysql-8.0.22

mysql-cluster-7.*

mysql-cluster-7.2.37

mysql-cluster-7.2.38

mysql-cluster-7.2.39

mysql-cluster-7.2.40

mysql-cluster-7.3.23

mysql-cluster-7.3.24

mysql-cluster-7.3.25

mysql-cluster-7.3.26

mysql-cluster-7.3.27

mysql-cluster-7.3.28

mysql-cluster-7.3.29

mysql-cluster-7.3.30

mysql-cluster-7.3.31

mysql-cluster-7.4.23

mysql-cluster-7.4.24

mysql-cluster-7.4.25

mysql-cluster-7.4.26

mysql-cluster-7.4.27

mysql-cluster-7.4.28

mysql-cluster-7.4.29

mysql-cluster-7.4.30

mysql-cluster-7.5.12

mysql-cluster-7.5.13

mysql-cluster-7.5.14

mysql-cluster-7.5.15

mysql-cluster-7.5.16

mysql-cluster-7.5.17

mysql-cluster-7.5.18

mysql-cluster-7.5.19

mysql-cluster-7.5.20

mysql-cluster-7.6.10

mysql-cluster-7.6.11

mysql-cluster-7.6.12

mysql-cluster-7.6.13

mysql-cluster-7.6.14

mysql-cluster-7.6.15

mysql-cluster-7.6.16

mysql-cluster-7.6.8

mysql-cluster-7.6.9

mysql-cluster-8.*

mysql-cluster-8.0.16

mysql-cluster-8.0.18

mysql-cluster-8.0.19

mysql-cluster-8.0.20

mysql-cluster-8.0.21

mysql-cluster-8.0.22

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23840.json"

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "286756561296075042237231219649184368171",
                "302896255058266923472696425836035569717",
                "300297427993859605007554044173966498739",
                "175565100923089660637647648328373853699",
                "71802579880224164103266412744806334599",
                "315666916814277685292192961936838231932",
                "198092292660585766502869236426726266894",
                "162640942130416387239939759911226756525"
            ]
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/mysql/mysql-server/commit/e5d189ecb9465f4be6235109dd3dbcaab01ddc53",
        "target": {
            "file": "include/welcome_copyright_notice.h"
        },
        "id": "CVE-2021-23840-a59356ae"
    }
]

github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Fixed

57679e1c97a90057d5ca9e1f0d1f3c6255d20200

Fixed

79ea8c333c0ff7960d5f5da41c6b6cce9dc95776

Introduced

d683e3dda09b6b3cc6cad6fd2c106e3061a48f0d

Fixed

7a4f260c5df43caa2f522e739b7cc3e7595d7e09

Introduced

42cce5a9d0fd905bf4ad7a2528c36572dfb8b5ad

Fixed

ab8d3c5a1262b4e04c0191a180914555d7c860c3

Introduced

ab4af087e83d91a46354d765306d3543b1d85423

Fixed

ce800870b4206bafea2942f0b404a7f8f86a8bea

Affected versions

v10.*

v10.13.0

v10.14.0

v10.14.1

v10.14.2

v10.15.0

v10.15.1

v10.15.2

v10.15.3

v10.16.0

v10.16.1

v10.16.2

v10.16.3

v10.17.0

v10.18.0

v10.18.1

v10.19.0

v10.20.0

v10.20.1

v10.21.0

v10.22.0

v10.22.1

v10.23.0

v10.23.1

v10.23.2

v10.23.3

v12.*

v12.13.0

v12.13.1

v12.14.0

v12.14.1

v12.15.0

v12.16.0

v12.16.1

v12.16.2

v12.16.3

v12.17.0

v12.18.0

v12.18.1

v12.18.2

v12.18.3

v12.18.4

v12.19.0

v12.19.1

v12.20.0

v12.20.1

v12.20.2

v15.*

v15.0.0

v15.0.1

v15.1.0

v15.2.0

v15.2.1

v15.3.0

v15.4.0

v15.5.0

v15.5.1

v15.6.0

v15.7.0

v15.8.0

v15.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23840.json"