The OpenSSL Project addresses two high-severity vulnerabilities in OpenSSL Products, a commonly used software library for building networking applications and servers that need to establish secure communications, including one related to verifying a certificate chain and one that can trigger a DoS condition.
A. Nature of the Vulnerabilities
The following vulnerabilities were tracked as:
CVE-2021-3449, the vulnerability could be exploited to trigger a DoS condition by sending a specially crafted renegotiation ClientHello message from a client. This affects servers running OpenSSL 1.1.1 versions with TLS 1.2 and renegotiation enabled.
CVE-2021-3450, a flaw related to the verification of a certificate chain when using the X509_V_FLAG_X509_STRICT flag. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten, which effectively bypasses the check that non-CA certificates must not be able to issue other certificates.
B. List of Vulnerable Systems
Vulnerable OpenSSL version are as follows:
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
Immediately test and apply the corresponding patched versions of the affected OpenSSL system from the published security advisory from the OpenSSL Project. (https://www.openssl.org/news/vulnerabilities.html#CVE-2021-3449)