CVE Vulnerabilities

CVE-2021-3449

This vulnerability is marked as RESERVED by NVD. This means that the CVE-ID is reserved for future use by the CVE Numbering Authority (CNA) or a security researcher, but the details of it are not yet publicly available yet.

This page will reflect the classification results once they are available through NVD.

Any vendor information available is shown as below.

Redhat

CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing

Mitigation

This flaw can be mitigated by disabling TLS renegotiation on servers compiled with OpenSSL. It is enabled by default, but can be disabled for servers which do not require it and can be used to mitigate this flaw. Versions of httpd package shipped with Red Hat Enterprise Linux 8 have TLS renegotiation disabled by default.

Affected Software List

NameVendorVersion
JBoss Core Services on RHEL 7RedHat
Red Hat Enterprise Linux 8RedHatopenssl-1:1.1.1g-15.el8_3
Red Hat Enterprise Linux 8.1 Extended Update SupportRedHatopenssl-1:1.1.1c-5.el8_1
Red Hat Enterprise Linux 8.2 Extended Update SupportRedHatopenssl-1:1.1.1c-18.el8_2
Red Hat JBoss Core Services 1RedHat
Red Hat JBoss Web Server 3.1RedHat
Red Hat JBoss Web Server 3 for RHEL 7RedHattomcat-native-0:1.2.23-24.redhat_24.ep7.el7
Red Hat JBoss Web Server 5RedHat
Red Hat JBoss Web Server 5.4 on RHEL 7RedHatjws5-tomcat-native-0:1.2.25-4.redhat_4.el7jws
Red Hat JBoss Web Server 5.4 on RHEL 8RedHatjws5-tomcat-native-0:1.2.25-4.redhat_4.el8jws
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8RedHatredhat-virtualization-host-0:4.4.5-20210330.0.el8_3

Ubuntu

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Affected Software List

NameVendorVersion
NodejsUbuntu/upstreamTBD
NodejsUbuntu/trustyout of standard support
OpensslUbuntu/devel1.1.1j-1ubuntu3
OpensslUbuntu/focal1.1.1f-1ubuntu2.3
OpensslUbuntu/groovy1.1.1f-1ubuntu4.3
OpensslUbuntu/hirsute1.1.1j-1ubuntu3
OpensslUbuntu/bionic1.1.1-1ubuntu2.1~18.04.9
OpensslUbuntu/trustyout of standard support
OpensslUbuntu/upstreamTBD
Postgresql-9.5Ubuntu/esm-infra/xenialTBD
Postgresql-9.5Ubuntu/upstreamTBD
Postgresql-9.5Ubuntu/xenialTBD
Edk2Ubuntu/trustyout of standard support
Openssl1.0Ubuntu/upstreamTBD
Postgresql-10Ubuntu/upstreamTBD
Postgresql-10Ubuntu/bionic10.18-0ubuntu0.18.04.1
Postgresql-12Ubuntu/focal12.8-0ubuntu0.20.04.1
Postgresql-12Ubuntu/trustyout of standard support
Postgresql-12Ubuntu/upstreamTBD
Postgresql-13Ubuntu/hirsute13.4-0ubuntu0.21.04.1
Postgresql-13Ubuntu/upstreamTBD
Postgresql-9.1Ubuntu/upstreamTBD
Postgresql-9.1Ubuntu/trustyout of standard support
Postgresql-9.3Ubuntu/upstreamTBD
Postgresql-9.3Ubuntu/trustyout of standard support