CVE-2021-3711: 
vulnerability analysis and mitigation

A bug in the implementation of OpenSSL's SM2 decryption code was discovered that affects versions 1.1.1k and below. The vulnerability (CVE-2021-3711) was reported on August 12th, 2021 by John Ouyang and fixed in OpenSSL version 1.1.1l. The issue occurs in the EVP_PKEY_decrypt() API function where the calculation of the buffer size required to hold the plaintext can be smaller than actually needed (OpenSSL Advisory).

The vulnerability exists in the SM2 decryption implementation where applications typically call EVP_PKEY_decrypt() twice - first with a NULL output parameter to get the required buffer size, then again with an allocated buffer. Due to a miscalculation, the first call can return a buffer size smaller than actually needed for the second call, leading to a buffer overflow of up to 62 bytes when the second call is made with an undersized buffer (CVE Details).

A successful exploit could allow an attacker to overflow the buffer with chosen data by up to 62 bytes, potentially altering application behavior, causing crashes through denial of service, or modifying other data held after the buffer. The affected buffer is typically heap allocated and application dependent (OpenSSL Advisory).

Users should upgrade to OpenSSL version 1.1.1l which contains the fix. OpenSSL 1.0.2 is not impacted by this vulnerability. For OpenSSL 3.0 alpha/beta releases, the issue was addressed before the final release. The fix was developed by Matt Caswell (OpenSSL Advisory).