Bug 1941547 (CVE-2021-3450)
Summary: | CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | cfergeau, crypto-team, csutherl, dblechte, ddelcian, dfediuck, dueno, dvolkov, eedri, elima, erik-fedora, fidencio, francois.poirotte, gzaronik, hkario, jclere, jwon, kaycoth, krathod, ktietz, marcandre.lureau, mgoldboi, michal.skrivanek, mturk, mvanderw, pjindal, randy, redhat-bugzilla, rh-spice-bugs, rjones, sahana, sbonazzo, security-response-team, sherold, ssorce, szappis, tm, wwinter, yozone, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 1.1.1k | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in openssl. The flag that enables additional security checks of certificates present in a certificate chain was not enabled allowing a confirmation step to verify that certificates in the chain are valid CA certificates is bypassed. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-30 17:35:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1941891, 1941892, 1941893, 1941894, 1943176, 1943177, 1943892 | ||
Bug Blocks: | 1941549 |
Description
Huzaifa S. Sidhpurwala
2021-03-22 10:53:33 UTC
Acknowledgments: Name: the OpenSSL Project Upstream: Benjamin Kaduk, Xiang Ding and others (Akamai) External References: https://www.openssl.org/news/secadv/20210325.txt Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1943176] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 1943177] * deleted * This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1024 https://access.redhat.com/errata/RHSA-2021:1024 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3450 Statement: This flaw affects openssl 1.1.1h and above only, older versions are not affected by this flaw. Mitigation: The following conditions have to be met for an application compiled with OpenSSL to be vulnerable: - the CA trusted by the system must issue or have issued certificates that don't include basic Key Usage extension. - the CA certificates must not have path length constraint set to a value that would limit the certificate chain to just the subscriber certificates (i.e. CA certificate just above the subscriber cert must not have 0 as the path length constraint, and any CA above it must not have it increase by more than 1 for every level in the hierarchy) - the attacker needs to have access to such subscriber certificate (without basic Key Usage and linking up to CAs without path length constraints or not effectively constraining certs issued by this certificate) - the application under attack must use the X509_V_FLAG_X509_STRICT flag and must not set purpose for the certificate verification if any of the above conditions are not met then the application compiled with OpenSSL is not vulnerable to the CVE. This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:1189 https://access.redhat.com/errata/RHSA-2021:1189 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:1196 https://access.redhat.com/errata/RHSA-2021:1196 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.4 on RHEL 7 Red Hat JBoss Web Server 5.4 on RHEL 8 Via RHSA-2021:1195 https://access.redhat.com/errata/RHSA-2021:1195 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2021:1199 https://access.redhat.com/errata/RHSA-2021:1199 This issue has been addressed in the following products: JBCS 2.4.37 SP7 Via RHSA-2021:1200 https://access.redhat.com/errata/RHSA-2021:1200 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:1203 https://access.redhat.com/errata/RHSA-2021:1203 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2021:1202 https://access.redhat.com/errata/RHSA-2021:1202 |