CVE-2021-3450, CVE-2021-3449: OpenSSL Security Vulnerabilities Alert

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites. OpenSSL is widely used in web servers on the Internet. For example cisco device, apache server, nginx server, etc. On March 25, 021, OpenSSL issued a security update risk notice for OpenSSL. The vulnerability numbers are CVE-2021-3450 and CVE-2021-3449.

Vulnerability Detail

CVE-2021-3450: Certificate verification vulnerability

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. Successful exploitation may enable an attacker to conduct a man-in-the-middle (MiTM) attack and obtain sensitive information.

Affected version

• OpenSSL 1.1.1h-1.1.1j

Unaffected version

• OpenSSL 1.1.1k

CVE-2021-3449: Denial of Service Vulnerability

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. 

Affected version

• OpenSSL 1.1.1-1.1.1j

Unaffected version

• OpenSSL 1.1.1k

Solution

In this regard, we recommend that users upgrade OpenSSL to the latest version in time.