Vulnerability CVE-2021-3618: Information

Description

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

Severity: HIGH (7.4) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3618

Published: March 23, 2022

Modified: Feb. 9, 2023

Error type identifier: CWE-295

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
nginx	sisyphus	1.22.0-alt1	1.24.0-alt6	ALT-PU-2022-2224-1	303519	Fixed
nginx	sisyphus_e2k	1.22.0-alt1	1.24.0-alt6	ALT-PU-2022-5550-1	-	Fixed
nginx	sisyphus_riscv64	1.22.0-alt1	1.24.0-alt6	ALT-PU-2022-5474-1	-	Fixed
nginx	p10	1.22.0-alt1	1.24.0-alt6	ALT-PU-2022-2243-1	303520	Fixed
nginx	p10_e2k	1.22.0-alt1	1.24.0-alt6	ALT-PU-2022-5512-1	-	Fixed
nginx	p9	1.22.0-alt1	1.24.0-alt3	ALT-PU-2022-2253-1	303522	Fixed
nginx	p9_e2k	1.22.0-alt1	1.22.1-alt1	ALT-PU-2022-6119-1	-	Fixed
nginx	p8	1.24.0-alt3	1.24.0-alt3	ALT-PU-2023-6722-2	332798	Fixed
nginx	c10f1	1.22.0-alt1	1.24.0-alt5	ALT-PU-2022-2243-1	303520	Fixed
nginx	c9f2	1.22.0-alt1	1.24.0-alt5	ALT-PU-2022-2267-1	303521	Fixed
nginx	p11	1.22.0-alt1	1.24.0-alt6	ALT-PU-2022-2224-1	303519	Fixed
sendmail	sisyphus	8.18.0-alt0.Alpha2	8.18.0-alt0.Alpha2	ALT-PU-2023-5845-2	330344	Fixed
sendmail	sisyphus_e2k	8.18.0-alt0.Alpha2	8.18.0-alt0.Alpha2	ALT-PU-2023-5900-1	-	Fixed
sendmail	sisyphus_riscv64	8.18.0-alt0.Alpha2	8.18.0-alt0.Alpha2	ALT-PU-2023-5957-1	-	Fixed
sendmail	p10	8.18.0-alt0.Alpha2	8.16.1-alt1	ALT-PU-2023-6299-1	330293	In work
sendmail	p11	8.18.0-alt0.Alpha2	8.18.0-alt0.Alpha2	ALT-PU-2023-5845-2	330344	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1975623	Issue Tracking Patch Third Party Advisory
https://alpaca-attack.com/	Third Party Advisory
[debian-lts-announce] 20221122 [SECURITY] [DLA 3203-1] nginx security update	Mailing List Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
  End excliding
  1.21.0
  
  Configuration 2
  cpe:2.3:a:sendmail:sendmail:*:*:*:*:*:*:*:*
  End excliding
  8.17
  
  Configuration 3
  cpe:2.3:a:vsftpd_project:vsftpd:*:*:*:*:*:*:*:*
  End excliding
  3.0.4
  
  Configuration 4
  cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  
  Configuration 5
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2021-3618: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5