CVE-2021-41272: 
NixOS vulnerability analysis and mitigation

CVE-2021-41272 affects Besu, an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in a signed type coercion error for values representing negative 32-bit signed integers. The vulnerability was discovered in December 2021 and patched in version 21.10.2 (GitHub Advisory).

The vulnerability stems from improper handling of shift operations (SHL, SHR, and SAR) where shift values between approximately 2 billion and 4 billion bits trigger a signed type coercion error. While these shift values are nonsensical, they are technically valid operations. The issue was introduced in version 21.10.0 and has a CVSS v3.1 base score of 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability affects network consensus in multiple ways depending on the network configuration. In networks where vulnerable versions are mining alongside other clients or non-vulnerable versions, it results in a fork where affected transactions are excluded. In networks where vulnerable versions are not mining (such as Rinkeby), validator nodes stop accepting blocks. In networks running only vulnerable versions, affected transactions are not included in any blocks (GitHub Advisory).

The issue has been patched in Besu version 21.10.2. Users can either upgrade to this version or roll back to version 21.7.4, which is not affected by the vulnerability. For networks where a transaction with the problematic shift operations has already been included in the canonical chain, all nodes must be updated to non-vulnerable versions (GitHub Advisory).