CVE-2021-38597: 
NixOS vulnerability analysis and mitigation

wolfSSL before version 4.8.1 contains a security vulnerability (CVE-2021-38597) where the software incorrectly skips OCSP (Online Certificate Status Protocol) verification in certain situations when irrelevant response data contains the NoCheck extension. This vulnerability was discovered and disclosed in August 2021 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is related to insufficient verification of data authenticity (CWE-345) in the OCSP verification process. The vulnerability affects all versions of wolfSSL prior to 4.8.1 (NVD).

When exploited, this vulnerability could allow an attacker to bypass OCSP verification checks, potentially leading to acceptance of revoked certificates. This could compromise the confidentiality of the system by allowing unauthorized access to sensitive information (NVD).

The vulnerability has been fixed in wolfSSL version 4.8.1 and later. Users are strongly advised to upgrade to version 4.8.1 or newer to address this security issue. The fix involves improvements to the handling of OCSP no check extension (GitHub Patch, wolfSSL Changelog).