Original Issue Date: August 31, 2021
Severity Rating: HIGH
Overview
Multiple vulnerabilities have been reported in OpenSSL which could be exploited by a remote attacker to execute arbitrary code ,disclose potentially sensitive information or cause denial of service conditions on the targeted system.
Description
1. Buffer Overflow Vulnerability ( CVE-2021-3711 )
This vulnerability exists in OpenSSL due to improper bounds checking by the EVP_PKEY_decrypt() function within implementation of the SM2 decryption. A remote attacker can send specially crafted SM2 content for decryption to trigger a buffer overflow on the target system.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code or cause denial of service conditions on the targeted system.
2. Out-of-bounds Read Vulnerability ( CVE-2021-3712 )
This vulnerability exists in OpenSSL due to out-of-bounds read when processing ASN.1 strings. A remote attacker can send specially crafted data to the application to trigger an out-of-bounds read error and read contents of memory on the system. Successful exploitation of this vulnerability may allow a remote attacker to gain access to potentially sensitive information.
Solution
Apply appropriate software fixes as mentioned in vendor advisory
https://www.openssl.org/news/secadv/20210824.txt