Cyber Resilience

CVE-2021-23841

Medium

Published: 16 February 2021

Published
16 February 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0096 76.9th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-23841 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Tenable Nessus Network Monitor. Its CVSS base score is 5.9 (Medium).

Operationally, ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the…

more

issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openssl
openssl
1.0.2 — 1.0.2y · 1.1.1 — 1.1.1j
debian
debian linux
10.0
tenable
nessus network monitor
5.11.0, 5.11.1, 5.12.0, 5.12.1, 5.13.0
tenable
tenable.sc
5.13.0 — 5.17.0
apple
safari
≤ 14.1.1
apple
ipados
≤ 14.6
apple
iphone os
≤ 14.6
apple
macos
11.1 — 11.4
netapp
oncommand insight
all versions
netapp
oncommand workflow automation
all versions
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References