Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2021-3449

Опубликовано: 25 мар. 2021
Источник: ubuntu
Приоритет: high
EPSS Средний
CVSS2: 4.3
CVSS3: 5.9

Описание

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

РелизСтатусПримечание
bionic

not-affected

devel

not-affected

esm-apps/bionic

not-affected

esm-apps/xenial

not-affected

esm-infra-legacy/trusty

DNE

esm-infra/focal

not-affected

focal

not-affected

groovy

not-affected

hirsute

not-affected

impish

not-affected

Показывать по

РелизСтатусПримечание
bionic

not-affected

uses system openssl1.0
devel

not-affected

uses system openssl1.1
esm-apps/bionic

not-affected

uses system openssl1.0
esm-apps/focal

not-affected

uses system openssl1.1
esm-apps/jammy

not-affected

12.22.9~dfsg-1ubuntu3
esm-apps/noble

not-affected

uses system openssl1.1
esm-apps/xenial

not-affected

uses system openssl
esm-infra-legacy/trusty

not-affected

uses system openssl
focal

not-affected

uses system openssl1.1
groovy

not-affected

uses system openssl1.1

Показывать по

РелизСтатусПримечание
bionic

released

1.1.1-1ubuntu2.1~18.04.9
devel

released

1.1.1j-1ubuntu3
esm-infra-legacy/trusty

not-affected

esm-infra/bionic

not-affected

1.1.1-1ubuntu2.1~18.04.9
esm-infra/focal

not-affected

1.1.1f-1ubuntu2.3
esm-infra/xenial

not-affected

1.0.2g-1ubuntu4.19
fips-preview/jammy

released

1.1.1j-1ubuntu3
fips-updates/bionic

released

1.1.1-1ubuntu2.fips.2.1~18.04.9.1
fips-updates/focal

released

1.1.1f-1ubuntu2.fips.7
fips-updates/jammy

released

1.1.1j-1ubuntu3

Показывать по

РелизСтатусПримечание
bionic

not-affected

1.0.2n-1ubuntu5.6
devel

DNE

esm-infra-legacy/trusty

DNE

esm-infra/bionic

not-affected

1.0.2n-1ubuntu5.6
esm-infra/focal

DNE

focal

DNE

groovy

DNE

hirsute

DNE

impish

DNE

jammy

DNE

Показывать по

РелизСтатусПримечание
bionic

released

10.18-0ubuntu0.18.04.1
devel

DNE

esm-infra-legacy/trusty

DNE

esm-infra/bionic

not-affected

10.18-0ubuntu0.18.04.1
esm-infra/focal

DNE

focal

DNE

hirsute

DNE

impish

DNE

jammy

DNE

kinetic

DNE

Показывать по

РелизСтатусПримечание
bionic

DNE

devel

DNE

esm-infra-legacy/trusty

DNE

esm-infra/focal

not-affected

12.8-0ubuntu0.20.04.1
focal

released

12.8-0ubuntu0.20.04.1
hirsute

DNE

impish

DNE

jammy

DNE

kinetic

DNE

lunar

DNE

Показывать по

РелизСтатусПримечание
bionic

DNE

devel

DNE

esm-infra-legacy/trusty

DNE

esm-infra/focal

DNE

focal

DNE

hirsute

released

13.4-0ubuntu0.21.04.1
impish

released

13.4-1
jammy

DNE

kinetic

DNE

lunar

DNE

Показывать по

РелизСтатусПримечание
bionic

DNE

devel

DNE

esm-infra-legacy/trusty

DNE

esm-infra/focal

DNE

focal

DNE

hirsute

DNE

impish

DNE

jammy

DNE

kinetic

DNE

lunar

DNE

Показывать по

РелизСтатусПримечание
bionic

DNE

devel

DNE

esm-infra-legacy/trusty

deferred

2019-08-23
esm-infra/focal

DNE

focal

DNE

hirsute

DNE

impish

DNE

jammy

DNE

kinetic

DNE

lunar

DNE

Показывать по

РелизСтатусПримечание
bionic

DNE

devel

DNE

esm-infra-legacy/trusty

DNE

esm-infra/focal

DNE

esm-infra/xenial

not-affected

code not present
focal

DNE

hirsute

DNE

impish

DNE

jammy

DNE

kinetic

DNE

Показывать по

Ссылки на источники

EPSS

Процентиль: 94%
0.13055
Средний

4.3 Medium

CVSS2

5.9 Medium

CVSS3

Связанные уязвимости

redhat логотип

CVE-2021-3449

CVSS3: 5.9
redhat
около 4 лет назад

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

nvd логотип

CVE-2021-3449

CVSS3: 5.9
nvd
около 4 лет назад

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

msrc логотип

CVE-2021-3449

msrc
больше 3 лет назад

OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing

debian логотип

CVE-2021-3449

CVSS3: 5.9
debian
около 4 лет назад

An OpenSSL TLS server may crash if sent a maliciously crafted renegoti ...

suse-cvrf логотип

openSUSE-SU-2021:0476-1

suse-cvrf
около 4 лет назад

Security update for openssl-1_1

EPSS

Процентиль: 94%
0.13055
Средний

4.3 Medium

CVSS2

5.9 Medium

CVSS3