Bug 1189520 – EMU: VUL-0: CVE-2021-3711: openssl-1_1: SM2 Decryption Buffer Overflow

Bug 1189520 - (CVE-2021-3711) EMU: VUL-0: CVE-2021-3711: openssl-1_1: SM2 Decryption Buffer Overflow

(CVE-2021-3711)
Summary:	EMU: VUL-0: CVE-2021-3711: openssl-1_1: SM2 Decryption Buffer Overflow

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/307461/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-3711:9.8:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-08-17 14:23 UTC by Marcus Meissner
Modified:	2023-01-17 15:38 UTC (History)
CC List:	9 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 8 Jason Sikes 2021-08-19 06:19:14 UTC

Submit requests:

SUSE:SLE-12-SP4:Update | request id 248531
SUSE:SLE-15-SP2:Update | request id 248530

Comment 13 Marcus Meissner 2021-08-24 14:10:47 UTC

is public.

https://www.openssl.org/news/secadv/20210824.txt

SM2 Decryption Buffer Overflow (CVE-2021-3711)
==============================================

Severity: High

In order to decrypt SM2 encrypted data an application is expected to call the
API function EVP_PKEY_decrypt(). Typically an application will call this
function twice. The first time, on entry, the "out" parameter can be NULL and,
on exit, the "outlen" parameter is populated with the buffer size required to
hold the decrypted plaintext. The application can then allocate a sufficiently
sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
value for the "out" parameter.

A bug in the implementation of the SM2 decryption code means that the
calculation of the buffer size required to hold the plaintext returned by the
first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
called by the application a second time with a buffer that is too small.

A malicious attacker who is able present SM2 content for decryption to an
application could cause attacker chosen data to overflow the buffer by up to a
maximum of 62 bytes altering the contents of other data held after the
buffer, possibly changing application behaviour or causing the application to
crash. The location of the buffer is application dependent but is typically
heap allocated.

OpenSSL versions 1.1.1k and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1l.

OpenSSL 1.0.2 is not impacted by this issue.

OpenSSL 3.0 alpha/beta releases are also affected but this issue will be
addressed before the final release.

This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix
was developed by Matt Caswell.

Comment 14 Swamp Workflow Management 2021-08-24 19:17:51 UTC

# maintenance_jira_update_notice
openSUSE-SU-2021:2830-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1189520,1189521
CVE References: CVE-2021-3711,CVE-2021-3712
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    openssl-1_1-1.1.1d-11.27.1

Comment 15 Swamp Workflow Management 2021-08-24 19:20:28 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2830-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1189520,1189521
CVE References: CVE-2021-3711,CVE-2021-3712
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    openssl-1_1-1.1.1d-11.27.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    openssl-1_1-1.1.1d-11.27.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    openssl-1_1-1.1.1d-11.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2021-08-24 19:27:57 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2833-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1189520,1189521
CVE References: CVE-2021-3711,CVE-2021-3712
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    openssl-1_1-1.1.1d-2.36.2
SUSE OpenStack Cloud 9 (src):    openssl-1_1-1.1.1d-2.36.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openssl-1_1-1.1.1d-2.36.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    openssl-1_1-1.1.1d-2.36.2
SUSE Linux Enterprise Server 12-SP5 (src):    openssl-1_1-1.1.1d-2.36.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    openssl-1_1-1.1.1d-2.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Marcus Meissner 2021-08-25 07:28:16 UTC

all updates released, factory and 15-sp4 update in progress.

Comment 18 Swamp Workflow Management 2021-08-25 10:17:54 UTC

# maintenance_jira_update_notice
openSUSE-SU-2021:1188-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1189520,1189521
CVE References: CVE-2021-3711,CVE-2021-3712
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    openssl-1_1-1.1.1d-lp152.7.21.1

Comment 19 Peter Simons 2021-08-27 06:36:06 UTC

The EMU has been completed.

Comment 30 Swamp Workflow Management 2022-10-20 16:22:31 UTC

SUSE-SU-2022:3676-1: An update that fixes 14 vulnerabilities, contains four features is now available.

Category: security (important)
Bug References: 1188571,1189520,1192383,1192763,1193492,1193686,1194873,1195726,1195727,1195728,1201535,1201539,1203596,1203597
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43815,CVE-2022-21673,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062
JIRA References: PED-2145,SLE-23422,SLE-23439,SLE-24565
Sources used:
SUSE Enterprise Storage 6 (src):    grafana-8.5.13-150100.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 32 Swamp Workflow Management 2022-12-13 11:27:15 UTC

SUSE-SU-2022:4428-1: An update that fixes 12 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1188571,1189520,1192383,1192763,1193492,1193686,1199810,1201535,1201539,1203596,1203597
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-29170,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062
JIRA References: PED-2145
Sources used:
openSUSE Leap 15.4 (src):    grafana-8.5.13-150200.3.29.5
openSUSE Leap 15.3 (src):    grafana-8.5.13-150200.3.29.5
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    grafana-8.5.13-150200.3.29.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 33 Swamp Workflow Management 2022-12-13 11:30:44 UTC

SUSE-SU-2022:4437-1: An update that solves 12 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1188571,1189520,1192383,1192763,1193492,1193686,1199810,1201535,1201539,1202945,1203283,1203596,1203597,1203599
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-29170,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062
JIRA References: PED-2145
Sources used:
openSUSE Leap 15.4 (src):    dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1, golang-github-boynux-squid_exporter-1.6-150000.1.9.1, golang-github-prometheus-promu-0.13.0-150000.3.9.1, prometheus-blackbox_exporter-0.19.0-150000.1.14.3, spacecmd-4.3.16-150000.3.89.1, wire-0.5.0-150000.1.9.3
openSUSE Leap 15.3 (src):    dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1, golang-github-boynux-squid_exporter-1.6-150000.1.9.1, golang-github-prometheus-promu-0.13.0-150000.3.9.1, spacecmd-4.3.16-150000.3.89.1
SUSE Manager Tools for SLE Micro 5 (src):    dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1, prometheus-blackbox_exporter-0.19.0-150000.1.14.3, uyuni-proxy-systemd-services-4.3.7-150000.1.9.3
SUSE Manager Tools 15 (src):    dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1, golang-github-boynux-squid_exporter-1.6-150000.1.9.1, grafana-8.5.13-150000.1.36.3, prometheus-blackbox_exporter-0.19.0-150000.1.14.3, spacecmd-4.3.16-150000.3.89.1, spacewalk-client-tools-4.3.13-150000.3.71.3, uyuni-proxy-systemd-services-4.3.7-150000.1.9.3
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    golang-github-boynux-squid_exporter-1.6-150000.1.9.1, prometheus-blackbox_exporter-0.19.0-150000.1.14.3
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src):    golang-github-boynux-squid_exporter-1.6-150000.1.9.1, prometheus-blackbox_exporter-0.19.0-150000.1.14.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 34 Swamp Workflow Management 2022-12-13 11:46:57 UTC

SUSE-SU-2022:4439-1: An update that solves 12 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (moderate)
Bug References: 1188571,1189520,1192383,1192763,1193492,1193686,1199810,1201535,1201539,1202945,1203283,1203596,1203597,1203599
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-29170,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062
JIRA References: PED-2145
Sources used:
SUSE Manager Tools 12 (src):    golang-github-boynux-squid_exporter-1.6-1.9.1, grafana-8.5.13-1.36.2, prometheus-blackbox_exporter-0.19.0-1.14.1, spacecmd-4.3.16-38.112.1, spacewalk-client-tools-4.3.13-52.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.