OpenSSL Security Advisory [16 February 2021]

OpenSSL released a security advisory on February 16, 2021, describing 3 vulnerabilities CVE-2021-23841, CVE-2021-23839, CVE-2021-23840 [1].

Airlock Gateway is not affected.

Details

CVE-2021-23841 Null pointer deref in X509_issuer_and_serial_hash()

The affected function is not used by any Airlock Gateway component (Apache HTTP Server, curl, OpenSSL itself).

CVE-2021-23839 Incorrect SSLv2 rollback protection

Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. These versions are no longer used by any supported Airlock WAF/Gateway release.

CVE-2021-23840 Integer overflow in CipherUpdate

The affected OpenSSL functions (EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate) are used by apr-util (Apache Portable Runtime Utility Library). The utility functions are used by the Apache module mod_session. Airlock Gateway does not use mod_session or any other Apache module who relies on the affected OpenSSL functionality.