Vulnerability Name: CVE-2021-22901 (CCN-202563) Assigned: 2021-05-26 Published: 2021-05-26 Updated: 2022-05-13 Summary: curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory. CVSS v3 Severity: 8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-416 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2021-22901 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf TLS session caching disaster https://curl.se/docs/CVE-2021-22901.html curl-cve202122901-code-exec(202563) https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479 https://hackerone.com/reports/1180380 https://security.netapp.com/advisory/ntap-20210723-0001/ https://security.netapp.com/advisory/ntap-20210727-0007/ A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (V2.103.000.051) and Modules IBM Aspera High-Speed Transfer Server, Endpoint, and Desktop Client are vulnerable to libcurl vulnerabilities (CVE-2021-22901, CVE-2021-22898) Multiple vulnerabilities in Curl affect PowerSC N/A Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html Oracle Critical Patch Update Advisory - January 2022 https://www.oracle.com/security-alerts/cpujan2022.html Oracle Critical Patch Update Advisory - July 2021 Vulnerable Configuration: Configuration 1 :cpe:/a:haxx:curl:*:*:*:*:*:*:*:* (Version >= 7.75.0 and <= 7.76.1)Configuration 2 :cpe:/a:oracle:mysql_server:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.0.25)OR cpe:/a:oracle:essbase:*:*:*:*:*:*:*:* (Version >= 21.0 and < 21.3) OR cpe:/a:oracle:essbase:*:*:*:*:*:*:*:* (Version < 11.1.2.4.047) OR cpe:/a:oracle:mysql_server:*:*:*:*:*:*:*:* (Version <= 5.7.34) OR cpe:/a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:* Configuration 3 :cpe:/a:netapp:cloud_backup:-:*:*:*:*:*:*:* OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:* OR cpe:/a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* OR cpe:/a:netapp:oncommand_insight:-:*:*:*:*:*:*:* OR cpe:/a:netapp:solidfire_&_hci_management_node:-:*:*:*:*:*:*:* OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* OR cpe:/o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:* OR cpe:/a:netapp:solidfire,_enterprise_sds_&_hci_storage_node:-:*:*:*:*:*:*:* OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:* Configuration 4 :cpe:/o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:* AND cpe:/h:netapp:hci_compute_node:-:*:*:*:*:*:*:* Configuration 5 :cpe:/o:netapp:h300e_firmware:-:*:*:*:*:*:*:* AND cpe:/h:netapp:h300e:-:*:*:*:*:*:*:* Configuration 6 :cpe:/o:netapp:h300s_firmware:-:*:*:*:*:*:*:* AND cpe:/h:netapp:h300s:-:*:*:*:*:*:*:* Configuration 7 :cpe:/o:netapp:h410s_firmware:-:*:*:*:*:*:*:* AND cpe:/h:netapp:h410s:-:*:*:*:*:*:*:* Configuration 8 :cpe:/o:netapp:h500e_firmware:-:*:*:*:*:*:*:* AND cpe:/h:netapp:h500e:-:*:*:*:*:*:*:* Configuration 9 :cpe:/o:netapp:h500s_firmware:-:*:*:*:*:*:*:* AND cpe:/h:netapp:h500s:-:*:*:*:*:*:*:* Configuration 10 :cpe:/o:netapp:h700e_firmware:-:*:*:*:*:*:*:* AND cpe:/h:netapp:h700e:-:*:*:*:*:*:*:* Configuration 11 :cpe:/o:netapp:h700s_firmware:-:*:*:*:*:*:*:* AND cpe:/h:netapp:h700s:-:*:*:*:*:*:*:* Configuration 12 :cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)Configuration CCN 1 :cpe:/a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:* Oval Definitions BACK
haxx curl *
oracle mysql server *
oracle essbase *
oracle essbase *
oracle mysql server *
oracle communications cloud native core network slice selection function 1.8.0
oracle communications cloud native core network repository function 1.15.0
oracle communications cloud native core network function cloud native environment 1.10.0
oracle communications cloud native core service communication proxy 1.15.0
oracle communications cloud native core network repository function 1.15.1
oracle communications cloud native core binding support function 1.11.0
netapp cloud backup -
netapp snapcenter -
netapp oncommand workflow automation -
netapp oncommand insight -
netapp solidfire & hci management node -
netapp active iq unified manager -
netapp solidfire baseboard management controller firmware -
netapp solidfire, enterprise sds & hci storage node -
netapp active iq unified manager -
netapp hci compute node firmware -
netapp hci compute node -
netapp h300e firmware -
netapp h300e -
netapp h300s firmware -
netapp h300s -
netapp h410s firmware -
netapp h410s -
netapp h500e firmware -
netapp h500e -
netapp h500s firmware -
netapp h500s -
netapp h700e firmware -
netapp h700e -
netapp h700s firmware -
netapp h700s -
siemens sinec infrastructure network services *
oracle http server 12.2.1.3.0
Denotes that component is vulnerable