I. Overview

OpenSSL disclosed two buffer overflow vulnerabilities (CVE-2021-3711 and CVE-2021-3712) in its released versions. CVE-2021-3711 is highly risky. A malicious attacker may present SM2 content for decryption to an application, which can possibly change application behavior or cause the application to crash.

OpenSSL is an open-source software library. Applications can use this library to secure communications over computer networks against eavesdropping and identify the party at the other end. It is widely used on web servers. If you are an OpenSSL user, check your OpenSSL version and implement timely security hardening.

Reference: https://www.openssl.org/news/secadv/20210824.txt

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

CVE-2021-3711:

1.1.1k and below

CVE-2021-3712:

1.1.1k and below

1.0.2y and below

Secure versions:

CVE-2021-3711:

1.1.1l and above

CVE-2021-3712:

1.1.1l and above

1.0.2za and above

IV. Security Recommendations

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://www.openssl.org/source/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.