Vulnerability in Openssl
CVE-2021-3449
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello…
EPSS: 0.635 (99.1th percentile) — read the EPSS interpretation.
Affected products
- Openssl — versions Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j)
Public proof-of-concept exploits
References
- www.openssl.org/news/secadv/20210325.txt
- git.openssl.org/gitweb/
- 20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 (vendor-advisory)
- DSA-4875 (vendor-advisory)
- [oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing (mailing-list)
- [oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing (mailing-list)
- [oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing (mailing-list)
- [oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing (mailing-list)
- GLSA-202103-03 (vendor-advisory)
- FEDORA-2021-cbf14ab8f9 (vendor-advisory)
Frequently asked questions
- What is CVE-2021-3449?
- CVE-2021-3449 is a vulnerability in Openssl. Published 2021-03-25.
- Is CVE-2021-3449 known to be exploited?
- 50 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.