openssl openssl CVE-2021-3449 vulnerability in OpenSSL and Other Products
Published on March 25, 2021

NULL pointer deref in signature_algorithms processing

product logo product logo product logo product logo product logo product logo product logo product logo product logo product logo product logo product logo product logo product logo product logo
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD


Products Associated with CVE-2021-3449

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-3449 are published in these products:

OpenSSL
 
Debian Linux
 
FreeBSD
 
Windriver Linux
 
NetApp Cloud Volumes Ontap Mediator
 
NetApp E Series Performance Analyzer
 
NetApp Oncommand Workflow Automation
 
NetApp Ontap Select Deploy Administration Utility
 
NetApp Santricity Smi S Provider
 
NetApp Storagegrid
 
Tenable Nessus
 
Tenable Sc
 
Fedora Project Fedora
 
McAfee Web Gateway
 
McAfee Web Gateway Cloud Service
 
NetApp Active Iq Unified Manager
 
NetApp Oncommand Insight
 
NetApp Snapcenter
 
Tenable Log Correlation Engine
 
Tenable Nessus Network Monitor
 
Oracle GraalVM
 
Oracle MySQL
 
Oracle Mysql Workbench
 
Oracle Secure Global Desktop
 
Canonical Ubuntu Linux
 
Oracle Essbase
 
Oracle Mysql Connectors
 
Oracle Peoplesoft Enterprise Peopletools
 
Oracle Zfs Storage Appliance Kit
 
SonicWall Capture Client
 
SonicWall Sonicos
 
Siemens Simatic Logon
 
Siemens Simatic Wincc Runtime Advanced
 
Siemens Simatic Wincc Telecontrol
 
Siemens Sinec Nms
 
Siemens Sinec Pni
 
Siemens Sinema Server
 
Siemens Sinumerik Opc Ua Server
 
Siemens Tia Administrator
 
Oracle Jd Edwards Enterpriseone Tools
 
Oracle Jd Edwards World Security
 
Oracle Secure Backup
 
Siemens Sinec Infrastructure Network Services
 
Oracle Primavera Unifier
 
Oracle Enterprise Manager Storage Management
 
Oracle Communications Communications Policy Management
 
nodejs node.js
 

Affected Versions

OpenSSL Version Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j) is affected by CVE-2021-3449

Exploit Probability

EPSS
9.58%
Percentile
92.71%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.