Описание
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
A buffer-overflow flaw was found in the python-cryptography package. In certain sequences of update() calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows. Note: This fix is a workaround for the OpenSSL CVE-2021-23840 flaw. Source: pyca/cryptography project
Отчет
Triggering this flaw on in versions of python-cryptography as shipped with Red Hat Enterprise Linux 8 BaseOS, Appstream, as well as Red Hat Software Collections, can result in denial of service due to memory consumption or MemoryError exception. In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-cryptography package.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | python-cryptography | Not affected | ||
| Red Hat Ansible Automation Platform 1.2 | cryptography | Will not fix | ||
| Red Hat Ansible Automation Platform 1.2 | python-cryptography | Will not fix | ||
| Red Hat Ansible Engine 2 | python-cryptography | Out of support scope | ||
| Red Hat Ansible Tower 3 | cryptography | Will not fix | ||
| Red Hat Enterprise Linux 7 | python-cryptography | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python38:3.8/python-cryptography | Will not fix | ||
| Red Hat Enterprise Linux 8 | python39:3.9/python-cryptography | Will not fix | ||
| Red Hat Enterprise Linux 9 | python-cryptography | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | python-cryptography | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
In the cryptography package before 3.3.2 for Python, certain sequences ...
EPSS
8.2 High
CVSS3