CVE-2021-4160

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.2 through 1.0.2zb OpenSSL versions 1.1.1 through 1.1.1l OpenSSL version 3.0.0

Description The issue is related to a carry propagation bug in the MIPS32 and MIPS64 squaring procedure of the OpenSSL library, which can lead to the compromise of elliptic curve algorithms, including some of the TLS 1.3 default curves. This bug may allow a remote attacker to disclose protected information, particularly if private keys are reused. However, the prerequisites for an attack are considered unlikely, and the impact was not analyzed in detail. The amount of resources required for such an attack would be significant.

Recommendations For OpenSSL versions 1.0.2 through 1.0.2zb, update to version 1.0.2zc or apply the fix from git commit 6fc1aaaf3. For OpenSSL versions 1.1.1 through 1.1.1l, update to version 1.1.1m. For OpenSSL version 3.0.0, update to version 3.0.1.