CVE-2021-45079
Publication date 24 January 2022
Last updated 7 April 2026
Ubuntu priority
Description
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| strongswan | 25.10 questing |
Fixed 5.9.4-1ubuntu4
|
| 24.04 LTS noble |
Fixed 5.9.4-1ubuntu4
|
|
| 22.04 LTS jammy |
Fixed 5.9.4-1ubuntu4
|
|
| 20.04 LTS focal |
Fixed 5.8.2-1ubuntu3.4
|
|
| 18.04 LTS bionic |
Fixed 5.6.2-1ubuntu2.8
|
|
| 16.04 LTS xenial |
Fixed 5.3.5-1ubuntu3.8+esm2
|
|
| 14.04 LTS trusty |
Fixed 5.1.2-0ubuntu2.11+esm2
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
elisehdy
The fix for this CVE has been released for all vulnerable versions except fips releases, where it is not expected to be updated. The ubuntu priority has been reduced from high to medium to reflect this.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.1 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5250-1
- strongSwan vulnerability
- 24 January 2022
- USN-5250-2
- strongSwan vulnerability
- 24 January 2022