wolfSSL not affected by CVE-2021-3711, nor CVE-2021-3712

It came to our attention that OpenSSL just published two new vulnerabilities.

  • CVE-2021-3711 – “SM2 decryption buffer overflow” (nakedsecurity)
  • CVE-202103712 – “Read buffer overruns processing ASN.1 strings.” (nakedsecurity)

These were specific OpenSSL issues and do not affect wolfSSL. For a list of CVEs that apply to wolfSSL please watch the security page on our website here: https://www.wolfssl.com/docs/security-vulnerabilities/

We wanted to take this opportunity to remind our customers and users that wolfSSL is in no way related to OpenSSL. wolfSSL was written from the ground up and is a unique SSL/TLS implementation.

That being said, wolfSSL does support an OpenSSL compatibility layer allowing OpenSSL users to drop in wolfSSL but continue to use the most commonly found OpenSSL API’s after re-compiling their applications to link against wolfSSL.

One individual also pointed out the time delta between report and fix on the above CVEs and wolfSSL would like to remind our customers and users of how proud we are of our less than 48 hour delta between report and fix. For more on our response time and process regarding vulnerabilities check out https://www.wolfssl.com/everything-wanted-know-wolfssl-support-handles-vulnerability-reports-afraid-ask/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.