OpenSSL denial of service, certificate bypass vulnerabilities (CVE-2021-3449, CVE-2021-3450) warning

1. Basic information

OpenSSL is an open source software library package. Applications can use this package for secure communication and at the same time confirm the identity of the connection person. This package is widely used in web servers on the Internet. On March 25, 2021, OpenSSL officially updated the vulnerability disclosure list. The notice disclosed the denial of service and certificate bypass vulnerabilities in OpenSSL components. Vulnerability numbers: CVE-2021-3449, CVE-2021-3450.

OpenSSL denial of service
OpenSSL denial of service, certificate bypass vulnerabilities

2. Vulnerability description

CVE-2021-3449: Denial of Service Vulnerability

OpenSSL TLS server has a null pointer vulnerability. Attackers can use this vulnerability to construct malicious data and send malicious ClientHello requests without authorization, which can eventually cause server denial of service.

CVE-2021-3450: certificate verification vulnerability

This vulnerability will add a check on the validity of the certificate CA certificate when the X509_V_FLAG_X509_STRICT flag is turned on. There is a loophole in this check, which causes the verification result to be overwritten. Attackers can use this loophole to construct malicious data forgery without authorization. Trusted certificates and the use of man-in-the-middle attacks can eventually cause the leakage of sensitive server information.

3. Scope of influence

openssl: 1.1.1h~1.1.1j

4. safety recommendations

The latest version has been officially released, and it is recommended that affected users update to the latest version in time. The link is as follows:

5. reference link




Post a Comment

Previous Post Next Post