OpenSSL Security Advisory: High-Severity Vulnerabilities Fixed in Version 1.1.1k

The OpenSSL project issued a security advisory on 25 March 2021 detailing two high-severity vulnerabilities.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

The OpenSSL project issued a security advisory on 25 March 2021 detailing two high-severity vulnerabilities:

CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)

Summary: An error in the implementation of security checks enabled by the X509_V_FLAG_X509_STRICT flag “meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates.”

This issue only affects applications that explicitly set the X509_V_FLAG_X509_STRICT flag (not set by default) and “either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.”

This vulnerability affects OpenSSL verions 1.1.1h and newer, and users of these versions should upgrade to version 1.1.1k.

NULL pointer deref in signature_algorithms processing (CVE-2021-3449)

Summary: This vulnerability allows an attacker to crash an OpenSSL TLS server by sending a maliciously crafted ClientHello message: “If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.”

A server is vulnerable if it has TLSv1.2 and renegotiation enabled, the default configuration. All OpenSSL 1.1.1 versions are affected by this issue, and users of these versions should upgrade to version 1.1.1k.

 

SSL.com encourages all OpenSSL users to review the complete advisory and update their installations to OpenSSL 1.1.1k if they are running a version affected by either or both of these vulnerabilities. As always, feel free to contact the SSL.com support team at Support@SSL.com, 1-877-SSL-SECURE, or via the chat link on this page.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.