Vulnerability CVE-2021-22897: Information

Description

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-22897
Published: June 11, 2021
Modified: March 27, 2024
Error type identifier: CWE-668

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
MySQLsisyphus8.0.26-alt18.0.37-alt1.1ALT-PU-2021-2461-1281108Fixed
MySQLsisyphus_riscv648.0.27-alt1.0.rv648.0.37-alt0.portALT-PU-2021-4503-1-Fixed
MySQLp108.0.26-alt18.0.36-alt1ALT-PU-2021-2477-1282098Fixed
MySQLp98.0.26-alt18.0.26-alt2ALT-PU-2021-2571-1282101Fixed
MySQLc10f18.0.26-alt18.0.37-alt1ALT-PU-2021-2477-1282098Fixed
MySQLc9f28.0.26-alt28.0.36-alt0.c9.1ALT-PU-2021-3668-1291746Fixed
MySQLp118.0.26-alt18.0.37-alt1.1ALT-PU-2021-2461-1281108Fixed
curlsisyphus7.77.0-alt18.7.1-alt2ALT-PU-2021-1865-1272616Fixed
curlp107.77.0-alt18.7.1-alt2ALT-PU-2021-1865-1272616Fixed
curlp97.77.0-alt17.79.0-alt2ALT-PU-2021-1911-1272617Fixed
curlc10f17.77.0-alt18.6.0-alt1ALT-PU-2021-1865-1272616Fixed
curlc9f27.77.0-alt18.6.0-alt1ALT-PU-2021-2146-1276672Fixed
curlp117.77.0-alt18.7.1-alt2ALT-PU-2021-1865-1272616Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://curl.se/docs/CVE-2021-22897.html
  • Patch
  • Vendor Advisory
https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511
  • Patch
  • Third Party Advisory
https://hackerone.com/reports/1172857
  • Exploit
  • Issue Tracking
  • Third Party Advisory
N/A
  • Patch
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20210727-0007/
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
  • Patch
  • Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
  • Patch
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
  • Patch
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
      Start including
      7.61.0
      End including
      7.76.1

      Configuration 2

      cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
      Start including
      8.0.0
      End including
      8.0.25
      cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
      Start including
      21.0
      End excliding
      21.3
      cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
      End excliding
      11.1.2.4.047
      cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
      End including
      5.7.34
      cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
      cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*

      Configuration 3

      cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
      cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
      cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
      cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*

      Configuration 4

      cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

      Configuration 5

      cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

      Configuration 6

      cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

      Configuration 7

      cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

      Configuration 8

      cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

      Configuration 9

      cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

      Configuration 10

      cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

      Configuration 11

      cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
      Running on/with:
      cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

      Configuration 12

      cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
      End excliding
      1.0.1.1

      Configuration 13

      cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
      cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
      Start including
      9.0.0
      End excliding
      9.0.6
      cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
      Start including
      8.2.0
      End excliding
      8.2.12
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top