CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors in libssl
21216
08 November 2022
08 November 2022
Closed
Low
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
No
CVE-2021-4044
Summary Security Advisory ID : BSA-2022-1661 Component : OpenSSL Revision : 1.0
A flaw was found in the way OpenSSL verified certificates via the X509_verify_cert() function. X509_verify_cert() fuunction may return a negative return value to indicate an internal error (for example, out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be unexpected, and applications may not behave correctly as a result. The exact behavior will depend on the application, but it could result in crashes, infinite loops, or other similar incorrect responses.
Products Confirmed Not Affected
No other Brocade Fibre Channel products are affected.
Revision History
Version | Change | Date |
---|---|---|
1.0 | Initial Publication | Nov 8, 2022 |