CVE-2021-4160

{"id": "CVE-2021-4160", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2022-01-28T22:15:15.133", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f", "source": "openssl-security@openssl.org"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7", "source": "openssl-security@openssl.org"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb", "source": "openssl-security@openssl.org"}, {"url": "https://security.gentoo.org/glsa/202210-02", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "source": "openssl-security@openssl.org"}, {"url": "https://www.debian.org/security/2022/dsa-5103", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.openssl.org/news/secadv/20220128.txt", "tags": ["Vendor Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb)."}, {"lang": "es", "value": "Se presenta un bug de propagaci\u00f3n carry en el procedimiento de cuadratura de MIPS32 y MIPS64. Muchos algoritmos de la CE est\u00e1n afectados, incluyendo algunas de las curvas por defecto de TLS versi\u00f3n 1.3. El impacto no es analizado en detalle, porque los requisitos previos para el ataque son considerados poco probables e incluyen el reuso de claves privadas. El an\u00e1lisis sugiere que los ataques contra RSA y DSA como resultado de este defecto ser\u00edan muy dif\u00edciles de llevar a cabo y no se consideran probables. Los ataques contra DH se consideran apenas factibles (aunque muy dif\u00edciles) porque la mayor parte del trabajo necesario para deducir informaci\u00f3n sobre una clave privada puede llevarse a cabo fuera de l\u00ednea. La cantidad de recursos necesarios para un ataque de este tipo ser\u00eda significativa. Sin embargo, para que un ataque a TLS tenga sentido, el servidor tendr\u00eda que compartir la clave privada DH entre m\u00faltiples clientes, lo que ya no es una opci\u00f3n desde CVE-2016-0701. Este problema afecta a OpenSSL versiones 1.0.2, 1.1.1 y 3.0.0. Se ha abordado en versiones 1.1.1m y 3.0.1 el 15 de diciembre de 2021. En el caso de la versi\u00f3n 1.0.2, ha sido abordada en el commit 6fc1aaaf3 de git, que s\u00f3lo est\u00e1 disponible para los clientes de soporte premium. Estar\u00e1 disponible en la versi\u00f3n 1.0.2zc cuando sea publicada. El problema s\u00f3lo afecta a OpenSSL en plataformas MIPS. Corregido en OpenSSL versi\u00f3n 3.0.1 (Afectado versi\u00f3n 3.0.0). Corregido en OpenSSL versi\u00f3n 1.1.1m (Afectado versi\u00f3n 1.1.1-1.1.1l). Corregido en OpenSSL versi\u00f3n 1.0.2zc-dev (Afectado versi\u00f3n 1.0.2-1.0.2zb)"}], "lastModified": "2024-06-21T19:15:21.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C0637240-BA4E-4B83-9E47-5418B2B8E76F", "versionEndIncluding": "1.0.2zb", "versionStartIncluding": "1.0.2"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6314E930-4FD0-42E6-8953-75205248D0C0", "versionEndExcluding": "1.1.1m", "versionStartIncluding": "1.1.1"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07D64A21-359E-40B7-8636-7E76D7466263"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "548C088E-7123-4825-B752-4DEA6A421766"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha10:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94E6E480-5E0C-4BDA-B904-38A8E025A38E"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha11:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68C330BD-0089-43E1-A5A7-89478D699FCC"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha12:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDDBB564-F8B3-4354-92DD-CBA482E01F55"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha13:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA41AD12-87F2-4F8F-9D92-BD141D1BB5CF"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha14:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7276F4F-2520-4477-9D52-7BEB6188A714"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha15:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0B98C2A-2B8B-406F-8881-455640624D9F"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha16:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "408C7AFA-F4ED-4D36-91BD-E621D056F0F7"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha17:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96457E9D-6EFC-4FB9-AAF5-A9A27B519BE0"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31593C1F-A2EA-4A47-8027-397C79EC9E30"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47AA30A-71D5-4AA4-9C0C-794B2705FE7F"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F4EAFB3-1345-4B67-8859-3EB1DFD23C59"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0F3FCF6-136F-4FF8-BB1D-B5D08E6C246C"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3438FAA2-AEBC-4A32-8E33-3035EE392CFE"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1AF93A67-34DE-44FC-9402-60048ADE8F1A"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26ED655F-95C7-4A29-A0A1-F40C3150B36F"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:alpha9:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D6A2277-07F5-4D0F-BB36-268D0C449051"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72F6B7A7-BCD5-42BE-A77A-B4A4CB3540B1"}, {"criteria": "cpe:2.3:a:openssl:openssl:3.0.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6F74415-4AD7-47E0-8792-F971E655954F"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:health_sciences_inform_publisher:6.2.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F12453B-0E7B-46B9-ADEC-0AC5EDC41058"}, {"criteria": "cpe:2.3:a:oracle:health_sciences_inform_publisher:6.3.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D105A5B-0AA8-4782-B804-CB1384F85884"}, {"criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A87D1B6-87DF-4BC6-9C3E-F3AA47E22C4D"}, {"criteria": "cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B1CAD50-749F-4ADB-A046-BF3585677A58"}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9"}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C89891C1-DFD7-4E1F-80A9-7485D86A15B5", "versionEndExcluding": "1.0"}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4664B195-AF14-4834-82B3-0B2C98020EB6"}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75BC588E-CDF0-404E-AD61-02093A1DF343"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B095CC03-7077-4A58-AB25-CC5380CDCE5A"}], "operator": "OR"}]}], "sourceIdentifier": "openssl-security@openssl.org"}