https://bugzilla.redhat.com/show_bug.cgi?id=2069364
Bug ID: 2069364 Summary: CVE-2021-43085 openssl: Insecure permissions vulnerability due to an error in the implementation of the CMAC_Final() function Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: aos-bugs@redhat.com, asoldano@redhat.com, bbaranow@redhat.com, bdettelb@redhat.com, berrange@redhat.com, bmaxwell@redhat.com, bootloader-eng-team@redhat.com, brian.stansberry@redhat.com, caswilli@redhat.com, cdewolf@redhat.com, cfergeau@redhat.com, chazlett@redhat.com, crobinso@redhat.com, crypto-team@lists.fedoraproject.org, csutherl@redhat.com, darran.lofthouse@redhat.com, dbelyavs@redhat.com, dhalasz@redhat.com, dkreling@redhat.com, dkuc@redhat.com, dosoudil@redhat.com, dueno@redhat.com, elima@redhat.com, epel-packagers-sig@lists.fedoraproject.org, erik-fedora@vanpienbroek.nl, f4bug@amsat.org, fjansen@redhat.com, fjuma@redhat.com, fmartine@redhat.com, gparvin@redhat.com, gzaronik@redhat.com, iweiss@redhat.com, jburrell@redhat.com, jclere@redhat.com, jkoehler@redhat.com, jochrist@redhat.com, jramanat@redhat.com, jwong@redhat.com, jwon@redhat.com, kaycoth@redhat.com, krathod@redhat.com, kraxel@redhat.com, ktietz@redhat.com, lgao@redhat.com, marcandre.lureau@redhat.com, michal.skrivanek@redhat.com, michel@michel-slm.name, micjohns@redhat.com, mjg59@srcf.ucam.org, mosmerov@redhat.com, mperina@redhat.com, msochure@redhat.com, mspacek@redhat.com, msvehla@redhat.com, mturk@redhat.com, njean@redhat.com, nobody@redhat.com, nwallace@redhat.com, pahickey@redhat.com, pbonzini@redhat.com, pjindal@redhat.com, pjones@redhat.com, pmackay@redhat.com, redhat-bugzilla@linuxnetz.de, rfreiman@redhat.com, rharwood@redhat.com, rh-spice-bugs@redhat.com, rjones@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, sahana@redhat.com, sbonazzo@redhat.com, smaestri@redhat.com, stcannon@redhat.com, sthirugn@redhat.com, szappis@redhat.com, tmeszaro@redhat.com, tm@t8m.info, tom.jenkinson@redhat.com, virt-maint@lists.fedoraproject.org, virt-maint@redhat.com, vkrizan@redhat.com, vkumar@redhat.com, vmugicag@redhat.com Target Milestone: --- Classification: Other
An Insecure Permissions vulnerability exists in the OpenSSL Project 3.0 due to an error in the implementation of the CMAC_Final() function.
Upstream issue:
https://github.com/openssl/openssl/issues/16873
https://bugzilla.redhat.com/show_bug.cgi?id=2069364
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2069365
https://bugzilla.redhat.com/show_bug.cgi?id=2069364
Simo Sorce ssorce@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(psampaio@redhat.c | |om) CC| |ssorce@redhat.com
--- Comment #1 from Simo Sorce ssorce@redhat.com --- After reading the upstream issue I do not understand why you would open a security issue for this bug. There is no vulnerability opened by misusing the API with the wrong cipher block. Simply the CMAC that you get is not interoperable with any correctly used one.
If you see a direct way to exploit this please let us know. Otherwise, please just close this, the parent, and any related bugs as NOTABUG.
https://bugzilla.redhat.com/show_bug.cgi?id=2069364
Sandipan Roy saroy@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |NOTABUG Status|NEW |CLOSED Last Closed| |2022-04-01 08:34:23
https://bugzilla.redhat.com/show_bug.cgi?id=2069364
OSIDB Bzimport bzimport@bot.bugzilla.redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |adudiak@redhat.com, | |alcohan@redhat.com, | |aprice@redhat.com, | |arachman@redhat.com, | |dfreiber@redhat.com, | |dhalasz@redhat.com, | |doconnor@redhat.com, | |drow@redhat.com, | |hkataria@redhat.com, | |istudens@redhat.com, | |ivassile@redhat.com, | |jforrest@redhat.com, | |jmitchel@redhat.com, | |jsamir@redhat.com, | |jtanner@redhat.com, | |kholdawa@redhat.com, | |kshier@redhat.com, | |lphiri@redhat.com, | |lveyde@redhat.com, | |mpierce@redhat.com, | |owatkins@redhat.com, | |pesilva@redhat.com, | |plodge@redhat.com, | |rhaigner@redhat.com, | |rogbas@redhat.com, | |teagle@redhat.com Severity|low |unspecified Priority|low |unspecified
--- Doc Text *updated* --- [REJECTED CVE] An Insecure Permissions bug exists in the OpenSSL Project 3.0 due to an error in the implementation of the CMAC_Final() function.
epel-packagers-sig@lists.fedoraproject.org