The OpenSSL Project addresses two high-severity vulnerabilities in OpenSSL Products, a commonly used software library for building networking applications and servers that need to establish secure communications, including one related to verifying a certificate chain and one that can trigger a DoS condition.


A. Nature of the Vulnerabilities

The following vulnerabilities were tracked as:

CVE-2021-3449, the vulnerability could be exploited to trigger a DoS condition by sending a specially crafted renegotiation ClientHello message from a client. This affects servers running OpenSSL 1.1.1 versions with TLS 1.2 and renegotiation enabled.

CVE-2021-3450, a flaw related to the verification of a certificate chain when using the X509_V_FLAG_X509_STRICT flag. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten, which effectively bypasses the check that non-CA certificates must not be able to issue other certificates.


B. List of Vulnerable Systems

Vulnerable OpenSSL version are as follows:

  • 1.1.1h
  • 1.1.1i
  • 1.1.1j


C. Actions to be Taken

CERT-PH recommends the following actions be taken:

Immediately test and apply the corresponding patched versions of the affected OpenSSL system from the published security advisory from the OpenSSL Project. (