1. Basic information
OpenSSL is an open source software library package. Applications can use this package for secure communication and at the same time confirm the identity of the connection person. This package is widely used in web servers on the Internet. On March 25, 2021, OpenSSL officially updated the vulnerability disclosure list. The notice disclosed the denial of service and certificate bypass vulnerabilities in OpenSSL components. Vulnerability numbers: CVE-2021-3449, CVE-2021-3450.
 |
| OpenSSL denial of service, certificate bypass vulnerabilities |
2. Vulnerability description
CVE-2021-3449: Denial of Service Vulnerability
OpenSSL TLS server has a null pointer vulnerability. Attackers can use this vulnerability to construct malicious data and send malicious ClientHello requests without authorization, which can eventually cause server denial of service.
CVE-2021-3450: certificate verification vulnerability
This vulnerability will add a check on the validity of the certificate CA certificate when the X509_V_FLAG_X509_STRICT flag is turned on. There is a loophole in this check, which causes the verification result to be overwritten. Attackers can use this loophole to construct malicious data forgery without authorization. Trusted certificates and the use of man-in-the-middle attacks can eventually cause the leakage of sensitive server information.
3. Scope of influence
openssl: 1.1.1h~1.1.1j
4. safety recommendations
The latest version has been officially released, and it is recommended that affected users update to the latest version in time. The link is as follows:
https://openssl.en.softonic.com/
5. reference link
1. https://www.openssl.org/news/vulnerabilities.html
2. https://www.openssl.org/news/secadv/20210325.txt
Source: https://cstis.cn/post/51ba8cd9-5fcf-b5c4-509b-c7f37d39ea0d
إرسال تعليق