ClickCease Extended Lifecycle Support service providing updated OpenSSL to address CVE-2021-23841 - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Extended Lifecycle Support service providing updated OpenSSL to address CVE-2021-23841

March 4, 2021 - TuxCare expert team

ELS providing updated OpenSSL to address CVE-2021-23841

A flaw in the way OpenSSL API function X509_issuer_and_serial_hash() has been disclosed that may lead applications using it to crash, causing a potential denial-of-service (DoS) to their users. 

 

The flaw lies in the way a hash is calculated from the Issuer and Serial Number data of an X509 certificate, which can make OpenSSL fail returning a NULL value. In turn, this can crash the application calling the function.

The exploit comes from a maliciously created X509 certificate containing specially crafted Issuer and Serial Number fields that trigger this behavior. 

Note that OpenSSL itself never calls this function, only third party applications that use it are at risk.

 

You can find the CVE submission here:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841

 

It affects multiple applications like Tenable.sc 5.13.0 to 5.17.0, NetApp 5, and others.

 

The affected versions are OpenSSL 1.1.1i and below. If you are using any version in the 1.1.1 to 1.1.1i range, you should upgrade to 1.1.1j.

 

OpenSSL 1.0.2 is no longer supported by the OpenSSL team, but our Extended Lifecycle Support team has prepared the updated OpenSSL version 1.0.2 for deployment for our users, so if you rely on it for your application, it will be safe.

 

Extended Lifecycle Support service helps alleviate the urgency to either upgrade servers or leave them vulnerable to future exploits. The service makes it possible to run the retired operating system on any server for 4 more years past the EOL date. By using an end-of-life extended support system, administrators can protect critical servers from potential vulnerabilities while creating a migration plan for future upgrades. 

 

CloudLinux offers continuing updates and support for end-of-life Linux distributions such as CentOS 6, Oracle Linux 6 and Ubuntu 16.04 LTS. There is no need for any changes to your servers — a simple single command to add a new repository file is all that’s needed. After the repository is added, CloudLinux continues to provide updates and security patches until June 2024. Learn more about Extended Lifecycle Support service on https://elsportal.com/

 

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

Strategies for Managing End-of-Life Operating...

End-of-life software is just a fact of our fast-paced technology...

January 30, 2023

Think You Can’t Afford Consistent...

Look, everyone knows that it’s a tough act. Thousands of...

January 17, 2023

Common Government Cybersecurity Standards –...

The public sector, including state and federal agencies, are at...

January 16, 2023

Which Linux Distro is Best...

If your organization deploys IoT solutions, you know that development...

December 1, 2022

The Bugs Behind the Vulnerabilities...

We continue to look at the code issues that cause...

November 14, 2022

Cybersecurity insurance and fine print:...

Catastrophic risks such as natural disasters and indeed cyberattacks require...

June 29, 2022