ID

VAR-202102-1488

CVE

CVE-2021-23841

TITLE

OpenSSL  In  NULL  Pointer dereference vulnerability

DESCRIPTION

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). Please keep an eye on CNNVD or manufacturer announcements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security and bug fix update Advisory ID: RHSA-2021:4424-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4424 Issue date: 2021-11-09 CVE Names: CVE-2021-23840 CVE-2021-23841 ==================================================================== 1. Summary: An update for openssl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: integer overflow in CipherUpdate (CVE-2021-23840) * openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1908036 - openssl listens on IPv4 "any" socket only not on IPv6 1930310 - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() 1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate 1934534 - Rebase OpenSSL to 1.1.1k 1934600 - DTLS1.0 connections are allowed in DEFAULT crypto-policy [rhel-8] 1939637 - Openssl -dtls option breaks in FIPS mode[rhel8] 1940085 - FIPS_selftest() fails in FIPS mode. 1965362 - In renegotiated handshake openssl sends extensions which client didn't advertise in second ClientHello [rhel-8] 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: openssl-1.1.1k-4.el8.src.rpm aarch64: openssl-1.1.1k-4.el8.aarch64.rpm openssl-debuginfo-1.1.1k-4.el8.aarch64.rpm openssl-debugsource-1.1.1k-4.el8.aarch64.rpm openssl-devel-1.1.1k-4.el8.aarch64.rpm openssl-libs-1.1.1k-4.el8.aarch64.rpm openssl-libs-debuginfo-1.1.1k-4.el8.aarch64.rpm openssl-perl-1.1.1k-4.el8.aarch64.rpm ppc64le: openssl-1.1.1k-4.el8.ppc64le.rpm openssl-debuginfo-1.1.1k-4.el8.ppc64le.rpm openssl-debugsource-1.1.1k-4.el8.ppc64le.rpm openssl-devel-1.1.1k-4.el8.ppc64le.rpm openssl-libs-1.1.1k-4.el8.ppc64le.rpm openssl-libs-debuginfo-1.1.1k-4.el8.ppc64le.rpm openssl-perl-1.1.1k-4.el8.ppc64le.rpm s390x: openssl-1.1.1k-4.el8.s390x.rpm openssl-debuginfo-1.1.1k-4.el8.s390x.rpm openssl-debugsource-1.1.1k-4.el8.s390x.rpm openssl-devel-1.1.1k-4.el8.s390x.rpm openssl-libs-1.1.1k-4.el8.s390x.rpm openssl-libs-debuginfo-1.1.1k-4.el8.s390x.rpm openssl-perl-1.1.1k-4.el8.s390x.rpm x86_64: openssl-1.1.1k-4.el8.x86_64.rpm openssl-debuginfo-1.1.1k-4.el8.i686.rpm openssl-debuginfo-1.1.1k-4.el8.x86_64.rpm openssl-debugsource-1.1.1k-4.el8.i686.rpm openssl-debugsource-1.1.1k-4.el8.x86_64.rpm openssl-devel-1.1.1k-4.el8.i686.rpm openssl-devel-1.1.1k-4.el8.x86_64.rpm openssl-libs-1.1.1k-4.el8.i686.rpm openssl-libs-1.1.1k-4.el8.x86_64.rpm openssl-libs-debuginfo-1.1.1k-4.el8.i686.rpm openssl-libs-debuginfo-1.1.1k-4.el8.x86_64.rpm openssl-perl-1.1.1k-4.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-23840 https://access.redhat.com/security/cve/CVE-2021-23841 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrdYdzjgjWX9erEAQj6ABAAqRDnIaOs2B3rKsf4N+Yn925VrF08Yb7q x7j3ncYOIRGlsw5m363I2nkE1Fvf9w/O1aLXly3CTlLN1KpifKiRwBZOBVnBJC18 jDemxS0CvtuCxGwtESGRUawdRe6IkTF4z7zDVKjSDaPsNE5UOvpOX5DQaAEKVAvl GAiTKHgguLOaLNzwqEKOKCcWpQQOGUrzzN3JcTiqZTzPWShSzdvIsPcDf15nkK27 XVmplmluVxcaDbve7hVAx5Zo6/smM9UBVtgF2iEb45nxsGkh+czu6pHdowBbp4uP r4n9nSTI8Fl5HrtFYQERuf3Ft9+OWfVy7GSXxe5pNg3KVFyKVfo2bAPpt5cq1V7G 7ke1wnlKSNus/kUme+mtPjDZqTb4lbSsNq1MF37pZ1gUVsUU5C0J9lNTRdpcB2EK ZJRoPka2hXUpO9wGQfQ8c0Vvf93v6uN7X/0sTj42157nqJd0ry7/fmpvo7re/oKd xPHDALDjUvS4ZgUkqOb0G+fUb2LCLPUsWNEMql/WLZAfKZIVjcIeelIJSuJ8dLKv oZNVJOxAQbndFWHOpNRCVMayERK4XegHKQguDAEfWzVUAS4IGCc6cwY15KUJ5vaZ W9cJ1fu5LKx7Q19Wz3jYJkMnoy+JHYtU1WJJ5yUMwvQw1QgIcu15BNGKbydm7imX 2E9d3hgUSpw=WTA4 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 8) - noarch 3. Description: EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. The following packages have been upgraded to a later upstream version: edk2 (20210527gite1999b264f1f). Description: Red Hat Advanced Cluster Management for Kubernetes 2.3.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.3/html/release_notes/ Security: * fastify-reply-from: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21321) * fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21322) * nodejs-netmask: improper input validation of octal input data (CVE-2021-28918) * redis: Integer overflow via STRALGO LCS command (CVE-2021-29477) * redis: Integer overflow via COPY command for large intsets (CVE-2021-29478) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500) * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * nodejs-ansi_up: XSS due to insufficient URL sanitization (CVE-2021-3377) * oras: zip-slip vulnerability via oras-pull (CVE-2021-21272) * redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms (CVE-2021-21309) * nodejs-lodash: command injection via template (CVE-2021-23337) * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364) * nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369) * nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383) * openssl: integer overflow in CipherUpdate (CVE-2021-23840) * openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841) * nodejs-ua-parser-js: ReDoS via malicious User-Agent header (CVE-2021-27292) * grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call (CVE-2021-27358) * nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092) * nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character (CVE-2021-29418) * ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) * html-parse-stringify: Regular Expression DoS (CVE-2021-23346) * openssl: incorrect SSLv2 rollback protection (CVE-2021-23839) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section. Bugs: * RFE Make the source code for the endpoint-metrics-operator public (BZ# 1913444) * cluster became offline after apiserver health check (BZ# 1942589) 3. Bugs fixed (https://bugzilla.redhat.com/): 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1913444 - RFE Make the source code for the endpoint-metrics-operator public 1921286 - CVE-2021-21272 oras: zip-slip vulnerability via oras-pull 1927520 - RHACM 2.3.0 images 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 1930294 - CVE-2021-23839 openssl: incorrect SSLv2 rollback protection 1930310 - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() 1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate 1932634 - CVE-2021-21309 redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms 1936427 - CVE-2021-3377 nodejs-ansi_up: XSS due to insufficient URL sanitization 1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string 1940196 - View Resource YAML option shows 404 error when reviewing a Subscription for an application 1940613 - CVE-2021-27292 nodejs-ua-parser-js: ReDoS via malicious User-Agent header 1941024 - CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call 1941675 - CVE-2021-23346 html-parse-stringify: Regular Expression DoS 1942178 - CVE-2021-21321 fastify-reply-from: crafted URL allows prefix scape of the proxied backend service 1942182 - CVE-2021-21322 fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service 1942589 - cluster became offline after apiserver health check 1943208 - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() 1944822 - CVE-2021-29418 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character 1944827 - CVE-2021-28918 nodejs-netmask: improper input validation of octal input data 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing 1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service 1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1957410 - CVE-2021-29477 redis: Integer overflow via STRALGO LCS command 1957414 - CVE-2021-29478 redis: Integer overflow via COPY command for large intsets 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method 1968122 - clusterdeployment fails because hiveadmission sc does not have correct permissions 1972703 - Subctl fails to join cluster, since it cannot auto-generate a valid cluster id 1983131 - Defragmenting an etcd member doesn't reduce the DB size (7.5GB) on a setup with ~1000 spoke clusters 5. CVE-2021-30714: @08Tc3wBB of ZecOps, and George Nosenko CommCenter Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A device may accept invalid activation results Description: A logic issue was addressed with improved restrictions. CVE-2021-30740: Linus Henze (pinauten.de) Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious application may disclose restricted memory Description: This issue was addressed with improved checks. CVE-2021-23841: Tavis Ormandy of Google CVE-2021-30698: Tavis Ormandy of Google Wi-Fi Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An attacker in WiFi range may be able to force a client to use a less secure authentication mechanism Description: A logic issue was addressed with improved validation. CommCenter We would like to acknowledge CHRISTIAN MINA and Stefan Sterz (@0x7374) of Secure Mobile Networking Lab at TU Darmstadt and Industrial Software at TU Wien for their assistance. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-05-25-2 macOS Big Sur 11.4 macOS Big Sur 11.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212529. AMD Available for: macOS Big Sur Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2021-30678: Yu Wang of Didi Research America AMD Available for: macOS Big Sur Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A logic issue was addressed with improved state management. CVE-2021-30676: shrek_wzw App Store Available for: macOS Big Sur Impact: A malicious application may be able to break out of its sandbox Description: A path handling issue was addressed with improved validation. CVE-2021-30688: Thijs Alkemade of Computest Research Division AppleScript Available for: macOS Big Sur Impact: A malicious application may bypass Gatekeeper checks Description: A logic issue was addressed with improved state management. CVE-2021-30669: Yair Hoffmann Audio Available for: macOS Big Sur Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30707: hjy79425575 working with Trend Micro Zero Day Initiative Audio Available for: macOS Big Sur Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: This issue was addressed with improved checks. CVE-2021-30685: Mickey Jin (@patch1t) of Trend Micro Core Services Available for: macOS Big Sur Impact: A malicious application may be able to gain root privileges Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. CVE-2021-30681: Zhongcheng Li (CK01) CoreAudio Available for: macOS Big Sur Impact: Processing a maliciously crafted audio file may disclose restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30686: Mickey Jin of Trend Micro Crash Reporter Available for: macOS Big Sur Impact: A malicious application may be able to modify protected parts of the file system Description: A logic issue was addressed with improved state management. CVE-2021-30727: Cees Elzinga CVMS Available for: macOS Big Sur Impact: A local attacker may be able to elevate their privileges Description: This issue was addressed with improved checks. CVE-2021-30724: Mickey Jin (@patch1t) of Trend Micro Dock Available for: macOS Big Sur Impact: A malicious application may be able to access a user's call history Description: An access issue was addressed with improved access restrictions. CVE-2021-30673: Josh Parnham (@joshparnham) Graphics Drivers Available for: macOS Big Sur Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2021-30684: Liu Long of Ant Security Light-Year Lab Graphics Drivers Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2021-30735: Jack Dates of RET2 Systems, Inc. (@ret2systems) working with Trend Micro Zero Day Initiative Heimdal Available for: macOS Big Sur Impact: A local user may be able to leak sensitive user information Description: A logic issue was addressed with improved state management. CVE-2021-30697: Gabe Kirkpatrick (@gabe_k) Heimdal Available for: macOS Big Sur Impact: A malicious application may cause a denial of service or potentially disclose memory contents Description: A memory corruption issue was addressed with improved state management. CVE-2021-30710: Gabe Kirkpatrick (@gabe_k) Heimdal Available for: macOS Big Sur Impact: A malicious application could execute arbitrary code leading to compromise of user information Description: A use after free issue was addressed with improved memory management. CVE-2021-30683: Gabe Kirkpatrick (@gabe_k) ImageIO Available for: macOS Big Sur Impact: Processing a maliciously crafted image may lead to disclosure of user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30687: Hou JingYi (@hjy79425575) of Qihoo 360 ImageIO Available for: macOS Big Sur Impact: Processing a maliciously crafted image may lead to disclosure of user information Description: This issue was addressed with improved checks. CVE-2021-30700: Ye Zhang(@co0py_Cat) of Baidu Security ImageIO Available for: macOS Big Sur Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30701: Mickey Jin (@patch1t) of Trend Micro and Ye Zhang of Baidu Security ImageIO Available for: macOS Big Sur Impact: Processing a maliciously crafted ASTC file may disclose memory contents Description: This issue was addressed with improved checks. CVE-2021-30705: Ye Zhang of Baidu Security Intel Graphics Driver Available for: macOS Big Sur Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: An out-of-bounds read issue was addressed by removing the vulnerable code. CVE-2021-30719: an anonymous researcher working with Trend Micro Zero Day Initiative Intel Graphics Driver Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2021-30728: Liu Long of Ant Security Light-Year Lab CVE-2021-30726: Yinyi Wu(@3ndy1) of Qihoo 360 Vulcan Team Kernel Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved validation. CVE-2021-30740: Linus Henze (pinauten.de) Kernel Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved state management. CVE-2021-30704: an anonymous researcher Kernel Available for: macOS Big Sur Impact: Processing a maliciously crafted message may lead to a denial of service Description: A logic issue was addressed with improved state management. CVE-2021-30715: The UK's National Cyber Security Centre (NCSC) Kernel Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2021-30736: Ian Beer of Google Project Zero Kernel Available for: macOS Big Sur Impact: A local attacker may be able to elevate their privileges Description: A memory corruption issue was addressed with improved validation. CVE-2021-30739: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab Kext Management Available for: macOS Big Sur Impact: A local user may be able to load unsigned kernel extensions Description: A logic issue was addressed with improved state management. CVE-2021-30680: Csaba Fitzl (@theevilbit) of Offensive Security LaunchServices Available for: macOS Big Sur Impact: A malicious application may be able to break out of its sandbox Description: This issue was addressed with improved environment sanitization. CVE-2021-30677: Ron Waisberg (@epsilan) Login Window Available for: macOS Big Sur Impact: A person with physical access to a Mac may be able to bypass Login Window Description: A logic issue was addressed with improved state management. CVE-2021-30702: Jewel Lambert of Original Spin, LLC. Mail Available for: macOS Big Sur Impact: An attacker in a privileged network position may be able to misrepresent application state Description: A logic issue was addressed with improved state management. CVE-2021-30696: Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences Model I/O Available for: macOS Big Sur Impact: Processing a maliciously crafted USD file may disclose memory contents Description: An information disclosure issue was addressed with improved state management. CVE-2021-30723: Mickey Jin (@patch1t) of Trend Micro CVE-2021-30691: Mickey Jin (@patch1t) of Trend Micro CVE-2021-30692: Mickey Jin (@patch1t) of Trend Micro CVE-2021-30694: Mickey Jin (@patch1t) of Trend Micro Model I/O Available for: macOS Big Sur Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2021-30725: Mickey Jin (@patch1t) of Trend Micro Model I/O Available for: macOS Big Sur Impact: Processing a maliciously crafted USD file may disclose memory contents Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-30746: Mickey Jin (@patch1t) of Trend Micro Model I/O Available for: macOS Big Sur Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A validation issue was addressed with improved logic. CVE-2021-30693: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend Micro Model I/O Available for: macOS Big Sur Impact: Processing a maliciously crafted USD file may disclose memory contents Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30695: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend Micro Model I/O Available for: macOS Big Sur Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-30708: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend Micro Model I/O Available for: macOS Big Sur Impact: Processing a maliciously crafted USD file may disclose memory contents Description: This issue was addressed with improved checks. CVE-2021-30709: Mickey Jin (@patch1t) of Trend Micro NSOpenPanel Available for: macOS Big Sur Impact: An application may be able to gain elevated privileges Description: This issue was addressed by removing the vulnerable code. CVE-2021-30679: Gabe Kirkpatrick (@gabe_k) OpenLDAP Available for: macOS Big Sur Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-36226 CVE-2020-36227 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36221 CVE-2020-36228 CVE-2020-36222 CVE-2020-36230 CVE-2020-36229 PackageKit Available for: macOS Big Sur Impact: A malicious application may be able to overwrite arbitrary files Description: An issue with path validation logic for hardlinks was addressed with improved path sanitization. CVE-2021-30738: Qingyang Chen of Topsec Alpha Team and Csaba Fitzl (@theevilbit) of Offensive Security Security Available for: macOS Big Sur Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution Description: A memory corruption issue in the ASN.1 decoder was addressed by removing the vulnerable code. CVE-2021-30737: xerub smbx Available for: macOS Big Sur Impact: An attacker in a privileged network position may be able to perform denial of service Description: A logic issue was addressed with improved state management. CVE-2021-30716: Aleksandar Nikolic of Cisco Talos smbx Available for: macOS Big Sur Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: A memory corruption issue was addressed with improved state management. CVE-2021-30717: Aleksandar Nikolic of Cisco Talos smbx Available for: macOS Big Sur Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: A path handling issue was addressed with improved validation. CVE-2021-30721: Aleksandar Nikolic of Cisco Talos smbx Available for: macOS Big Sur Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An information disclosure issue was addressed with improved state management. CVE-2021-30722: Aleksandar Nikolic of Cisco Talos smbx Available for: macOS Big Sur Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2021-30712: Aleksandar Nikolic of Cisco Talos Software Update Available for: macOS Big Sur Impact: A person with physical access to a Mac may be able to bypass Login Window during a software update Description: This issue was addressed with improved checks. CVE-2021-30668: Syrus Kimiagar and Danilo Paffi Monteiro SoftwareUpdate Available for: macOS Big Sur Impact: A non-privileged user may be able to modify restricted settings Description: This issue was addressed with improved checks. CVE-2021-30718: SiQian Wei of ByteDance Security TCC Available for: macOS Big Sur Impact: A malicious application may be able to send unauthorized Apple events to Finder Description: A validation issue was addressed with improved logic. CVE-2021-30671: Ryan Bell (@iRyanBell) TCC Available for: macOS Big Sur Impact: A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited. Description: A permissions issue was addressed with improved validation. CVE-2021-30713: an anonymous researcher WebKit Available for: macOS Big Sur Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A cross-origin issue with iframe elements was addressed with improved tracking of security origins. CVE-2021-30744: Dan Hite of jsontop WebKit Available for: macOS Big Sur Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2021-21779: Marcin Towalski of Cisco Talos WebKit Available for: macOS Big Sur Impact: A malicious application may be able to leak sensitive user information Description: A logic issue was addressed with improved restrictions. CVE-2021-30682: an anonymous researcher and 1lastBr3ath WebKit Available for: macOS Big Sur Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2021-30689: an anonymous researcher WebKit Available for: macOS Big Sur Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2021-30749: an anonymous researcher and mipu94 of SEFCOM lab, ASU. working with Trend Micro Zero Day Initiative CVE-2021-30734: Jack Dates of RET2 Systems, Inc. (@ret2systems) working with Trend Micro Zero Day Initiative WebKit Available for: macOS Big Sur Impact: A malicious website may be able to access restricted ports on arbitrary servers Description: A logic issue was addressed with improved restrictions. CVE-2021-30720: David Schütz (@xdavidhu) WebRTC Available for: macOS Big Sur Impact: A remote attacker may be able to cause a denial of service Description: A null pointer dereference was addressed with improved input validation. CVE-2021-23841: Tavis Ormandy of Google CVE-2021-30698: Tavis Ormandy of Google Additional recognition App Store We would like to acknowledge Thijs Alkemade of Computest Research Division for their assistance. CoreCapture We would like to acknowledge Zuozhi Fan (@pattern_F_) of Ant- financial TianQiong Security Lab for their assistance. ImageIO We would like to acknowledge Jzhu working with Trend Micro Zero Day Initiative and an anonymous researcher for their assistance. Mail Drafts We would like to acknowledge Lauritz Holtmann (@_lauritz_) for their assistance. WebKit We would like to acknowledge Chris Salls (@salls) of Makai Security for their assistance. Installation note: This update may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCtU9AACgkQZcsbuWJ6 jjDC5g/+P0Hya9smOX6XVhxtnwe+vh2d5zOrKLBymdkvDPGw1UQoGOq08+7eu02Q vsManS/aP1UKNcMnbALHNFbFXv61ZjWi+71qgGGAQAe3EtYTJchBiIIyOBNIHoOJ 8X9sOeiyFzOOKw+GyVsBMNRL9Oh678USC4qgyyO5u2+Oexehu+6N9YNdAzwZgy6o muP+NlZ08s80ahRfq/6q8uKj7+Is0k5OEdxpWTnJOoXUDzZPj4Vo7H0HL6zjuqg3 CurJQABF3kDBWgZCvroMU6/HpbilGPE+JUFV7HPfaMe6iE3FsfrOq101w+/ovuNM hJ3yk/QENoh5BYdHKJo7zPVZBteGX20EVPdWfTsnz6a/hk568A+ICiupFIqwEuQv esIBWzgab9YUb2fAaZ071Z+lSn0Rj7tm3V/rhdwq19tYD3Q7BqEJ+YxYCH2zvyIB mP4/NoMpsDiTqFradR8Skac5uwINpZzAHjFyWLj0QVWVMxyQB8EGshR16YPkMryJ rjGyNIqZPcZ/Z6KJqpvNJrfI+b0oeqFMBUwpwK/7aQFPP/MvsM+UVSySipRiqwoa WAHMuY4SQwcseok7N6Rf+zAEYm9Nc+YglYpTW2taw6g0vWNIuCbyzPdC/Srrjw98 od2jLahPwyoBg6WBvXoZ6H4YOWFAywf225nYk3l5ATsG6rNbhYk= =Avma -----END PGP SIGNATURE----- . See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/release_notes/ Security fixes: * CVE-2021-3795 semver-regex: inefficient regular expression complexity * CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747 Related bugs: * RHACM 2.2.10 images (Bugzilla #2013652) 3. Bugs fixed (https://bugzilla.redhat.com/): 2004944 - CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747 2006009 - CVE-2021-3795 semver-regex: inefficient regular expression complexity 2013652 - RHACM 2.2.10 images 5. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1997017 - unprivileged client fails to get guest agent data 1998855 - Node drain: Sometimes source virt-launcher pod status is Failed and not Completed 2000251 - RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount 2001270 - [VMIO] [Warm from Vmware] Snapshot files are not deleted after Successful Import 2001281 - [VMIO] [Warm from VMware] Source VM should not be turned ON if vmio import is removed 2001901 - [4.8.3] NNCP creation failures after nmstate-handler pod deletion 2007336 - 4.8.3 containers 2007776 - Failed to Migrate Windows VM with CDROM (readonly) 2008511 - [CNV-4.8.3] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13 2012890 - With descheduler during multiple VMIs migrations, some VMs are restarted 2025475 - [4.8.3] Upgrade from 2.6 to 4.x versions failed due to vlan-filtering issues 2026881 - [4.8.3] vlan-filtering is getting applied on veth ports 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

overflow, code execution, xss

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-05-17T20:16:13.188000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE