GNU Libtasn1 vulnerability

General information

This article contains information related to CVE-2021-46848, which is an out-of-bounds read flaw that was found in Libtasn1 due to an ETYPE_OK off-by-one error in the asn1_encode_simple_der() function. This flaw allows a remote attacker to pass specially crafted data or invalid values to the application, triggering an off-by-one error, corrupting the memory, and possibly performing a denial of service (DoS) attack.

This CVE was published 2022-10-24.

Official site for the CVE:

https://nvd.nist.gov/vuln/detail/CVE-2021-46848

The Nexus Security team has investigated the impact of CVE-2021-46848, and the possible impact on our components. The component-specific information is added in the table below.

Nexus components

This list contains the components from Nexus, and their respective affected versions.

Latest update date of this article

2022-11-16

Table of contents

Component	Affected versions CVE-2021-46848	Comment
Smart ID Certificate Manager	Not affected
Nexus OCSP Responder	Not affected
Nexus Timestamp Server	Not affected
Smart ID Desktop App/Client	Not affected
Smart ID Mobile App	Not affected
Nexus Card SDK	Not affected
Smart ID Physical Access	Not affected
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG)	Not affected	The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package.
Smart ID Identity Manager/PRIME	Not affected	The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package.
Smart ID Self-Service (Angular/SpringBoot-based)	Not affected	The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package.
Smart ID Self-Service Legacy USSP (Wicket-based)	Not affected	The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package.
Smart ID Messaging component - Hermod	Not affected	The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package.
Nexus ID06 Service	Not affected
Nexus Go Cards	Not affected

Nexus strongly recommends you to contact your other suppliers as well.