Cyber Resilience

CVE-2021-23840

High

Published: 16 February 2021

Published
16 February 2021
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0054 68.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-23840 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Mcafee Epolicy Orchestrator. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 31.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the…

more

function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openssl
openssl
1.0.2 — 1.0.2y · 1.1.1 — 1.1.1j
debian
debian linux
10.0
tenable
log correlation engine
≤ 6.0.8
tenable
nessus network monitor
5.11.0, 5.11.1, 5.12.0, 5.12.1, 5.13.0
oracle
business intelligence
12.2.1.3.0, 12.2.1.4.0, 5.5.0.0.0, 5.9.0.0.0
oracle
communications cloud native core policy
1.15.0
oracle
enterprise manager for storage management
13.4.0.0
oracle
enterprise manager ops center
12.4.0.0
oracle
graalvm
19.3.5, 20.3.1.2, 21.0.0.2
oracle
jd edwards enterpriseone tools
≤ 9.2.6.0
+11 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References