Document toolboxDocument toolbox

GNU Libtasn1 vulnerability

General information

This article contains information related to CVE-2021-46848, which is an out-of-bounds read flaw that was found in Libtasn1 due to an ETYPE_OK off-by-one error in the asn1_encode_simple_der() function. This flaw allows a remote attacker to pass specially crafted data or invalid values to the application, triggering an off-by-one error, corrupting the memory, and possibly performing a denial of service (DoS) attack.

This CVE was published 2022-10-24.



Official site for the CVE:

https://nvd.nist.gov/vuln/detail/CVE-2021-46848

The Nexus Security team has investigated the impact of CVE-2021-46848, and the possible impact on our components. The component-specific information is added in the table below.

Nexus components

This list contains the components from Nexus, and their respective affected versions.

Latest update date of this article

2022-11-16



Table of contents



Component

Affected versions CVE-2021-46848

Comment

Component

Affected versions CVE-2021-46848

Comment

Smart ID Certificate Manager

Not affected



Nexus OCSP Responder

Not affected



Nexus Timestamp Server

Not affected



Smart ID Desktop App/Client

Not affected





Smart ID Mobile App

Not affected



Nexus Card SDK

Not affected





Smart ID Physical Access

Not affected





Smart ID Digital Access (previously named Hybrid Access Gateway – HAG)

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Smart ID Identity Manager/PRIME

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Smart ID Self-Service (Angular/SpringBoot-based)

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Smart ID Self-Service Legacy USSP (Wicket-based)

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Smart ID Messaging component - Hermod

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Nexus ID06 Service

Not affected



Nexus Go Cards

Not affected



Nexus strongly recommends you to contact your other suppliers as well.



Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions