Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


General information

This article contains information related to CVE-2021-46848, which is an out-of-bounds read flaw that was found in Libtasn1 due to an ETYPE_OK off-by-one error in the asn1_encode_simple_der() function. This flaw allows a remote attacker to pass specially crafted data or invalid values to the application, triggering an off-by-one error, corrupting the memory, and possibly performing a denial of service (DoS) attack.

This CVE was published 2022-10-24.


Official site for the CVE:

https://nvd.nist.gov/vuln/detail/CVE-2021-46848

The Nexus Security team has investigated the impact of CVE-2021-46848, and the possible impact on our components. The component-specific information is added in the table below.

Nexus components

This list contains the components from Nexus, and their respective affected versions.

Latest update date of this article

2022-11-16


Table of contents


Component

Affected versions CVE-2021-46848

Comment

Smart ID Certificate Manager

Not affected

Nexus OCSP Responder

Not affected

Nexus Timestamp Server

Not affected

Smart ID Desktop App/Client

Not affected



Smart ID Mobile AppNot affected

Nexus Card SDK

Not affected



Smart ID Physical Access

Not affected



Smart ID Digital Access (previously named Hybrid Access Gateway – HAG)

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Smart ID Identity Manager/PRIME

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Smart ID Self-Service (Angular/SpringBoot-based)

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Smart ID Self-Service Legacy USSP (Wicket-based)Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Smart ID Messaging component - Hermod

Not affected

The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all.

Next release of this component will have an updated Libtasn1 package.

Nexus ID06 ServiceNot affected
Nexus Go CardsNot affected

Nexus strongly recommends you to contact your other suppliers as well.