Vulnerability Name:

CVE-2021-46848 (CCN-240735)

Assigned:2021-02-04
Published:2021-02-04
Updated:2023-01-20
Summary:GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
CVSS v3 Severity:9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
8.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
9.1 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
8.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
5.9 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.3 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:9.4 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-125
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-46848

Source: XF
Type: UNKNOWN
gnu-cve202146848-info-disc(240735)

Source: CCN
Type: Libtasn1 GIT Repository
Out-of-bound access in ETYPE_OK

Source: CCN
Type: IBM Security Bulletin 6857613 (MQ Operator)
BM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libxml2, expat, libtasn1 and systemd

Source: CCN
Type: IBM Security Bulletin 6967243 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6967291 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6981853 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in GNU Libtasn1 [CVE-2021-46848]

Source: CCN
Type: IBM Security Bulletin 6986547 (Power HMC)
Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC

Source: CCN
Type: IBM Security Bulletin 6986569 (MQ Appliance)
IBM MQ Appliance is affected by multiple open source vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6989653 (Security Verify Access)
Multiple Security Vulnerabilities have been fixed in IBM Security Verify Access

Source: CCN
Type: IBM Security Bulletin 7001867 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: Mend Vulnerability Database
CVE-2021-46848

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*
    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:9::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7680
    P
    		libtasn1-4.13-150000.4.8.1 on GA media (Moderate)
    2023-06-12
    oval:com.redhat.rhsa:def:20230343
    P
    		RHSA-2023:0343: libtasn1 security update (Moderate)
    2023-01-23
    oval:com.redhat.rhsa:def:20230116
    P
    		RHSA-2023:0116: libtasn1 security update (Moderate)
    2023-01-12
    oval:org.opensuse.security:def:51940
    P
    		Security update for libtasn1 (Critical)
    2022-10-26
    BACK
    ibm security verify access 10.0.0
    ibm security verify access 10.0.1
    ibm security verify access 10.0.2
    ibm security verify access 10.0.3
    ibm robotic process automation for cloud pak 21.0.1
    ibm cloud pak for security 1.10.0.0