Vulnerability Name: CVE-2021-4160 (CCN-218394) Assigned: 2021-12-23 Published: 2022-01-28 Updated: 2022-11-09 Summary: There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701 . This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb). CVSS v3 Severity: 5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
6.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
5.6 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:N/C:C/I:C/A:N Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): HighAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): None
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Gain Access References: Source: MITRECVE-2021-4160 https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf openssl-cve20214160-weak-security(218394) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3bf7b73ea7123045b8f972badc67ed6878e6c37f https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6fc1aaaf303185aa5e483e06bdfae16daa9193a7 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb GLSA-202210-02 DSA-5103 Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2021-4160) WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 OpenSSL (Publicly disclosed vulnerability) IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 IBM Spectrum Control is vulnerable to multiple weaknesses related to XStream, Apache Xerces2, Jackson, OpenSSL, and Java SE Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors IBM Aspera Faspex 4.4.2 has addressed multiple security vulnerabilities Vulnerabilities in OpenSSL affect IBM Spectrum Protect Plus SQL, File Indexing, and Windows Host agents IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to weakened security in OpenSSL ( CVE-2021-4160) IBM Sterling Control Center vulnerable to multiple issues to due IBM Cognos Analystics (CVE-2022-4160, CVE-2021-3733) IBM Aspera Orchestrator affected by vulnerability (CVE-2021-4160) Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities. OpenSSL Security Advisory [28 January 2022] https://www.openssl.org/news/secadv/20220128.txt Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html N/A CVE-2021-4160 Vulnerable Configuration: Configuration 1 :cpe:/a:openssl:openssl:3.0.0:-:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha1:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha10:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha11:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha12:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha13:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha14:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha15:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha16:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha17:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha2:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha3:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha4:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha5:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha6:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha7:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha8:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:alpha9:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:beta1:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:beta2:*:*:*:*:*:* OR cpe:/a:openssl:openssl:*:*:*:*:*:*:*:* (Version >= 1.0.2 and <= 1.0.2zb) OR cpe:/a:openssl:openssl:*:*:*:*:*:*:*:* (Version >= 1.1.1 and < 1.1.1m) Configuration 2 :cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:* Configuration 3 :cpe:/a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2.6.3:*:*:*:*:*:*:* OR cpe:/a:oracle:health_sciences_inform_publisher:6.3.1.1:*:*:*:*:*:*:* OR cpe:/a:oracle:health_sciences_inform_publisher:6.2.1.1:*:*:*:*:*:*:* Configuration 4 :cpe:/a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:* OR cpe:/a:siemens:sinec_ins:*:*:*:*:*:*:*:* (Version < 1.0) OR cpe:/a:siemens:sinec_ins:1.0:-:*:*:*:*:*:* Configuration 5 :cpe:/a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:openssl:openssl:1.1.1:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:1.0.2:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:3.0.0:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:1.0.2zb:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:1.1.1l:*:*:*:*:*:*:* AND cpe:/a:ibm:websphere_mq:5.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:netcool/system_service_monitor:4.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:* OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:iot_messagesight:5.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:mq_for_hpe_nonstop:8.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:aspera_faspex:4.4.1:*:*:*:*:*:*:* BACK
openssl openssl 3.0.0 -
openssl openssl 3.0.0 alpha1
openssl openssl 3.0.0 alpha10
openssl openssl 3.0.0 alpha11
openssl openssl 3.0.0 alpha12
openssl openssl 3.0.0 alpha13
openssl openssl 3.0.0 alpha14
openssl openssl 3.0.0 alpha15
openssl openssl 3.0.0 alpha16
openssl openssl 3.0.0 alpha17
openssl openssl 3.0.0 alpha2
openssl openssl 3.0.0 alpha3
openssl openssl 3.0.0 alpha4
openssl openssl 3.0.0 alpha5
openssl openssl 3.0.0 alpha6
openssl openssl 3.0.0 alpha7
openssl openssl 3.0.0 alpha8
openssl openssl 3.0.0 alpha9
openssl openssl 3.0.0 beta1
openssl openssl 3.0.0 beta2
openssl openssl *
openssl openssl *
debian debian linux 9.0
debian debian linux 10.0
debian debian linux 11.0
oracle jd edwards world security a9.4
oracle peoplesoft enterprise peopletools 8.58
oracle peoplesoft enterprise peopletools 8.59
oracle jd edwards enterpriseone tools 9.2.6.3
oracle health sciences inform publisher 6.3.1.1
oracle health sciences inform publisher 6.2.1.1
siemens sinec ins 1.0 sp1
siemens sinec ins *
siemens sinec ins 1.0 -
oracle enterprise manager ops center 12.4.0.0
openssl openssl 1.1.1
openssl openssl 1.0.2
openssl openssl 3.0.0
openssl openssl 1.0.2zb
openssl openssl 1.1.1l
ibm websphere mq 5.3.1
ibm netcool/system service monitor 4.0.1
ibm spectrum protect plus 10.1.0
ibm app connect 11.0.0.0
ibm integration bus 10.0.0.0
ibm iot messagesight 5.0.0.0
ibm mq for hpe nonstop 8.1.0
ibm mobilefirst platform foundation 8.0.0.0
ibm app connect enterprise 12.0.1.0
ibm cognos analytics 11.2.0
ibm cognos analytics 11.1.7
ibm cognos analytics 11.2.1
ibm aspera faspex 4.4.1
Denotes that component is vulnerable