CVE-2021-3449

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).
References
Link Resource
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148 Mailing List Patch Vendor Advisory
https://www.openssl.org/news/secadv/20210325.txt Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd Third Party Advisory
https://www.debian.org/security/2021/dsa-4875 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210326-0006/ Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/27/1 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/27/2 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/28/3 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/28/4 Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202103-03 Third Party Advisory
https://www.tenable.com/security/tns-2021-06 Third Party Advisory
https://www.tenable.com/security/tns-2021-05 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/ Mailing List Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10356 Third Party Advisory
https://www.tenable.com/security/tns-2021-09 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210513-0002/ Third Party Advisory
https://www.tenable.com/security/tns-2021-10 Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:freebsd:freebsd:12.2:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:12.2:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:12.2:p2:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:cloud_volumes_ontap_mediator:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:*
cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:*
cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 7 (hide)

OR cpe:2.3:a:mcafee:web_gateway:8.2.19:*:*:*:*:*:*:*
cpe:2.3:a:mcafee:web_gateway:9.2.10:*:*:*:*:*:*:*
cpe:2.3:a:mcafee:web_gateway:10.1.1:*:*:*:*:*:*:*
cpe:2.3:a:mcafee:web_gateway_cloud_service:8.2.19:*:*:*:*:*:*:*
cpe:2.3:a:mcafee:web_gateway_cloud_service:9.2.10:*:*:*:*:*:*:*
cpe:2.3:a:mcafee:web_gateway_cloud_service:10.1.1:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
OR cpe:2.3:o:checkpoint:quantum_security_management_firmware:r80.40:*:*:*:*:*:*:*
cpe:2.3:o:checkpoint:quantum_security_management_firmware:r81:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_security_management:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
OR cpe:2.3:o:checkpoint:multi-domain_management_firmware:r80.40:*:*:*:*:*:*:*
cpe:2.3:o:checkpoint:multi-domain_management_firmware:r81:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:multi-domain_management:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
OR cpe:2.3:o:checkpoint:quantum_security_gateway_firmware:r80.40:*:*:*:*:*:*:*
cpe:2.3:o:checkpoint:quantum_security_gateway_firmware:r81:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_security_gateway:-:*:*:*:*:*:*:*

Configuration 11 (hide)

OR cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:*

Information

Published : 2021-03-25 15:15

Updated : 2021-06-17 17:04


NVD link : CVE-2021-3449

Mitre link : CVE-2021-3449


JSON object : View

Products Affected

netapp

  • snapcenter
  • santricity_smi-s_provider
  • cloud_volumes_ontap_mediator
  • active_iq_unified_manager
  • ontap_select_deploy_administration_utility
  • storagegrid
  • oncommand_workflow_automation
  • oncommand_insight
  • e-series_performance_analyzer

openssl

  • openssl

freebsd

  • freebsd

mcafee

  • web_gateway_cloud_service
  • web_gateway

checkpoint

  • multi-domain_management
  • multi-domain_management_firmware
  • quantum_security_management_firmware
  • quantum_security_management
  • quantum_security_gateway
  • quantum_security_gateway_firmware

tenable

  • nessus_network_monitor
  • tenable.sc
  • log_correlation_engine
  • nessus

oracle

  • graalvm
  • mysql_server
  • mysql_workbench
  • secure_global_desktop

fedoraproject

  • fedora

debian

  • debian_linux
CWE
CWE-476

NULL Pointer Dereference