Understanding CVE-2021-23840: OpenSSL Vulnerability and Required Actions

Welcome to today's security briefing where we will delve deeply into a significant vulnerability in OpenSSL that has been identified as CVE-2021-23840. This CVE has a high severity rating with a CVSS score of 7.5, signaling its potential impact on users and applications relying on the affected versions of OpenSSL.

What is OpenSSL and Its Significance?

OpenSSL is an open-source software library which provides robust and commercial-grade implementations of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is designed to secure communications over computer networks against eavesdropping. A significant number of websites and online services use OpenSSL to encrypt data and authenticate communication, making it a critical component of internet security infrastructure.

Details of the CVE-2021-23840 Vulnerability

The CVE-2021-23840 vulnerability involves how EVP_CipherUpdate, EVP_EncryptUpdate, and EVP_DecryptUpdate functions handle data sizes close to the maximum permissible length for an integer on the platform. Despite returning a 'success' status, the output length may overflow, resulting in a negative length value. This incorrect behavior can cause dependent applications to act unpredictably or crash - posing significant security and operational risks.

Affected Versions and Fixes

The CVE-2021-23840 primarily impacts OpenSSL versions 1.1.1i and below, and 1.0.2x and below. For OpenSSL 1.1.1 series users, it is advised to upgrade to version 1.1.1j, where this vulnerability is remedied. As for OpenSSL 1.0.2 series, which no longer receives public updates, users with premium support should upgrade to version 1.0.2y. Others should make a switch to 1.1.1j, where applicable.

Why Immediate Action is Crucial?

The risks associated with not updating to a patched version include potential data breaches, system crashes, and a decreased trust in data security, particularly for services handling sensitive user information. Prompt action to update to secured versions not only ensures compliance with security norms but also protects organizational and user data from potential threats and exploitations.

How to Upgrade OpenSSL?

Upgrading OpenSSL is a straightforward process but requires careful execution to ensure that all dependencies are correctly managed. Organizations should perform the following steps:

  • Identify the currently running version of OpenSSL.
  • Review update notes for the target version to ensure compatibility with existing systems and applications.
  • Test the new version in a non-production environment to ensure that it does not interrupt operations or introduce new issues.
  • Plan a maintenance window for the upgrade process, minimizing impact on users.
  • Deploy the update across production environments, verifying the upgrade's success.

By flowing through these steps, organizations can manage their upgrade process systematically and with minimal disruption.

Conclusion

Addressing CVE-2021-23840 swiftly is pivotal for maintaining the integrity and security of systems utilizing OpenSSL. Understanding the implications of security vulnerabilities and effectively responding to them is a key component of modern cybersecurity defences. We hope this detailed guide assists you in managing this specific vulnerability and contributes to your ongoing security efforts.