-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2021-22901 is a use-after-free in curl when handling TLS 1.3 session tickets with OpenSSL. The analysis of the patch commit 7f4a9a9b2a49547eae24d2e19bc5c346e9026479 reveals the following:
ossl_connect_step1 in lib/vtls/openssl.c, prior to the patch, was responsible for storing a pointer to the Curl_easy structure (the transfer object, referred to as data) in the SSL context using SSL_set_ex_data. This was done to make the transfer object available to the ossl_new_session_cb callback.ossl_new_session_cb function is an OpenSSL callback that gets triggered when a new session ticket arrives. This callback would then use SSL_get_ex_data to retrieve the stored Curl_easy pointer.Curl_easy object was freed (e.g., after a transfer completed) before the ossl_new_session_cb for that SSL session was invoked. In such cases, ossl_new_session_cb would access a dangling pointer, leading to a use-after-free.Curl_easy data into a new function ossl_associate_connection.
b. Introducing a new function ossl_disassociate_connection which is responsible for clearing these stored pointers (setting them to NULL) from the SSL context.
c. Modifying Curl_detach_connnection (in lib/multi.c) to call Curl_ssl_detach_conn (which in turn calls ossl_disassociate_connection for OpenSSL backend), ensuring that when a transfer is detached from a connection, the associated pointers in the SSL context are cleared, preventing ossl_new_session_cb from accessing stale data.Therefore, ossl_connect_step1 (in its pre-patch state) is identified as vulnerable because it set up the conditions for the UAF. ossl_new_session_cb is identified as the function where the UAF would manifest by attempting to use the freed memory. The patch evidence for ossl_connect_step1 is the removal of the direct SSL_set_ex_data calls, and for ossl_new_session_cb it's the explicit mention in comments related to the fix and the purpose of the newly added ossl_disassociate_connection function.
Ongoing coverage of React2Shell