OpenSSL officially reported that a buffer overflow vulnerability is discovered in specific versions. The ID of the vulnerability is CVE-2021-3711. Remote attackers can send SM2 content to overflow the buffer and then execute arbitrary code on the system or initiate denial-of-service attacks.

Vulnerability details

This buffer overflow vulnerability is caused by improper bounds checking of the EVP_PKEY_decrypt() function. This function is used to decrypt SM2-encrypted data. For more information, see OpenSSL Security Advisory.

Affected services

Services that use the SM2 algorithm and OpenSSL 1.1.1k or earlier

Security suggestions

The SSL encryption feature of ApsaraDB for Redis provides services based on OpenSSL. OpenSSL has fixed this vulnerability in later versions. ApsaraDB for Redis has followed up and fixed this vulnerability at the earliest opportunity. You must update the minor version of your ApsaraDB for Redis instance to the latest version to prevent potential risks. For more information, see Update the minor version.