CVE-2021-4160
CVE-2021-4160 is a medium-severity vulnerability in Openssl with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- CVSS v2: 4.3
- EPSS exploit prediction: 4% (89th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Openssl
- Published:
- Last modified:
Description
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).
Frequently asked questions
- What is CVE-2021-4160?
- There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).
- How severe is CVE-2021-4160?
- CVE-2021-4160 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2021-4160 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 4% (89th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-4160?
- CVE-2021-4160 primarily affects Openssl. In total, 34 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-4160?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-4160 published?
- CVE-2021-4160 was published on 2022-01-28 and last updated on 2026-06-17.
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb
- https://security.gentoo.org/glsa/202210-02
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.debian.org/security/2022/dsa-5103
- https://www.openssl.org/news/secadv/20220128.txt
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected products (34)
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha12:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha13:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha14:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha15:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha16:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha17:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:3.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:health_sciences_inform_publisher:6.2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:health_sciences_inform_publisher:6.3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
More vulnerabilities in Openssl
- CVE-2009-3245 — Critical (CVSS 10.0): OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c,…
- CVE-2006-3738 — Critical (CVSS 10.0): Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier…
- CVE-2026-31789 — Critical (CVSS 9.8): Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer…
- CVE-2022-2274 — Critical (CVSS 9.8): The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA…
- CVE-2021-3711 — Critical (CVSS 9.8): In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt().…
- CVE-2016-6309 — Critical (CVSS 9.8): statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote…
Threat intelligence
Threat-intel indicators referencing this CVE:
- 50.255.62.89 (ipv4-addr)
- 45.84.120.3 (ipv4-addr)
- 45.232.73.84 (ipv4-addr)
- 223.197.186.7 (ipv4-addr)
- 218.51.148.194 (ipv4-addr)
- 203.192.232.180 (ipv4-addr)
- 197.44.15.210 (ipv4-addr)
- 187.110.238.50 (ipv4-addr)