It was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | openssl | 2021-10-01 18:00 | ALAS-2021-1541 |
Amazon Linux 2 - Core | openssl | 2021-10-26 23:29 | ALAS2-2021-1721 |
Amazon Linux 2 - Core | openssl11 | 2021-10-04 20:17 | ALAS2-2021-1714 |
Amazon Linux 2 - Core | edk2 | 2024-03-13 20:26 | ALAS2-2024-2502 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H |
NVD | CVSSv2 | 5.8 | AV:N/AC:M/Au:N/C:P/I:N/A:P |
NVD | CVSSv3 | 7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H |