General information
This article contains information related to CVE-2021-46848, which is an out-of-bounds read flaw that was found in Libtasn1 due to an ETYPE_OK off-by-one error in the asn1_encode_simple_der() function. This flaw allows a remote attacker to pass specially crafted data or invalid values to the application, triggering an off-by-one error, corrupting the memory, and possibly performing a denial of service (DoS) attack.
This CVE was published 2022-10-24.
Official site for the CVE:
https://nvd.nist.gov/vuln/detail/CVE-2021-46848
The Nexus Security team has investigated the impact of CVE-2021-46848, and the possible impact on our components. The component-specific information is added in the table below.
Nexus components
This list contains the components from Nexus, and their respective affected versions.
Latest update date of this article
2022-11-16
Table of contents
/*<![CDATA[*/ div.rbtoc1763646359884 {padding: 0px;} div.rbtoc1763646359884 ul {list-style: disc;margin-left: 0px;} div.rbtoc1763646359884 li {margin-left: 0px;padding-left: 0px;} /*]]>*/ General information Nexus components
|
Component
|
Affected versions CVE-2021-46848
|
Comment
|
|---|---|---|
|
Smart ID Certificate Manager |
Not affected |
|
|
Nexus OCSP Responder |
Not affected |
|
|
Nexus Timestamp Server |
Not affected |
|
|
Smart ID Desktop App/Client |
Not affected |
|
|
Smart ID Mobile App |
Not affected |
|
|
Nexus Card SDK |
Not affected |
|
|
Smart ID Physical Access |
Not affected |
|
|
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG) |
Not affected |
The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package. |
|
Smart ID Identity Manager/PRIME |
Not affected |
The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package. |
|
Smart ID Self-Service (Angular/SpringBoot-based) |
Not affected |
The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package. |
|
Smart ID Self-Service Legacy USSP (Wicket-based) |
Not affected |
The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package. |
|
Smart ID Messaging component - Hermod |
Not affected |
The containerized version of this component contains Libtasn1 in its baseOS image. The component itself does not use Libtasn1 at all. Next release of this component will have an updated Libtasn1 package. |
|
Nexus ID06 Service |
Not affected |
|
|
Nexus Go Cards |
Not affected |
|
Nexus strongly recommends you to contact your other suppliers as well.