Bug 1941554 (CVE-2021-3449) - CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing
Summary: CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms proce...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3449
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1941732 1941733 1941734 1941735 1941736 1941737 1942333 1942334 1942335 1942336 1942337 1942338 1942339 1942340 1942341 1942342 1943178 1943179 1943892
Blocks: 1941549
TreeView+ depends on / blocked
 
Reported: 2021-03-22 11:01 UTC by Huzaifa S. Sidhpurwala
Modified: 2022-05-17 10:50 UTC (History)
42 users (show)

Fixed In Version: openssl 1.1.1k
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openssl. A server crash and denial of service attack could occur if a client sends a TLSv1.2 renegotiation ClientHello and omits the signature_algorithms extension but includes a signature_algorithms_cert extension. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-03-30 17:35:18 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:1189 0 None None None 2022-01-05 10:01:51 UTC

Description Huzaifa S. Sidhpurwala 2021-03-22 11:01:07 UTC
As per upstream:

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.

A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue.

All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.

OpenSSL 1.0.2 is not impacted by this issue.

Comment 1 Huzaifa S. Sidhpurwala 2021-03-22 11:01:15 UTC
Acknowledgments:

Name: the OpenSSL project
Upstream: Nokia

Comment 8 Huzaifa S. Sidhpurwala 2021-03-24 04:09:21 UTC
Statement:

This flaw only affects OpenSSL 1.1.1, older versions are not affected.

Comment 12 Huzaifa S. Sidhpurwala 2021-03-25 14:25:42 UTC
External References:

https://www.openssl.org/news/secadv/20210325.txt

Comment 13 Huzaifa S. Sidhpurwala 2021-03-25 14:26:59 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1943178]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 1943179]

Comment 14 Huzaifa S. Sidhpurwala 2021-03-25 14:28:01 UTC
Upstream commit: https://github.com/openssl/openssl/commit/fb9fa6b51defd48157eeb207f52181f735d96148

Comment 15 Hubert Kario 2021-03-25 16:13:45 UTC
stand-alone reproducer: https://github.com/tlsfuzzer/tlsfuzzer/pull/748

Comment 22 Huzaifa S. Sidhpurwala 2021-03-29 13:36:48 UTC
Mitigation:

This flaw can be mitigated by disabling TLS renegotiation on servers compiled with OpenSSL. It is enabled by default, but can be disabled for servers which do not require it and can be used to mitigate this flaw. Versions of httpd package shipped with Red Hat Enterprise Linux 8 have TLS renegotiation disabled by default.

Comment 23 errata-xmlrpc 2021-03-29 19:40:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1024 https://access.redhat.com/errata/RHSA-2021:1024

Comment 25 Scott Brown 2021-03-30 16:25:48 UTC
Is this the wrong place to ask when CentOS Stream 8 is going to ship an openssl security update? It has not been updated since December, and is lacking the high severity 1.1.1k fixes (and others of intermediate and low severity).

Comment 26 Product Security DevOps Team 2021-03-30 17:35:18 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3449

Comment 27 Sahana Prasad 2021-03-31 14:18:02 UTC
(In reply to Scott Brown from comment #25)
> Is this the wrong place to ask when CentOS Stream 8 is going to ship an
> openssl security update? It has not been updated since December, and is
> lacking the high severity 1.1.1k fixes (and others of intermediate and low
> severity).

Hi Scott,
I'll get back to you on this one.

Comment 28 errata-xmlrpc 2021-04-05 13:47:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:1063 https://access.redhat.com/errata/RHSA-2021:1063

Comment 31 errata-xmlrpc 2021-04-07 15:30:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:1131 https://access.redhat.com/errata/RHSA-2021:1131

Comment 33 errata-xmlrpc 2021-04-14 11:44:47 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:1189 https://access.redhat.com/errata/RHSA-2021:1189

Comment 34 errata-xmlrpc 2021-04-14 14:34:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:1196 https://access.redhat.com/errata/RHSA-2021:1196

Comment 35 errata-xmlrpc 2021-04-14 14:45:58 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.4 on RHEL 7
  Red Hat JBoss Web Server 5.4 on RHEL 8

Via RHSA-2021:1195 https://access.redhat.com/errata/RHSA-2021:1195

Comment 36 errata-xmlrpc 2021-04-14 15:54:24 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2021:1199 https://access.redhat.com/errata/RHSA-2021:1199

Comment 37 errata-xmlrpc 2021-04-14 16:00:06 UTC
This issue has been addressed in the following products:

  JBCS 2.4.37 SP7

Via RHSA-2021:1200 https://access.redhat.com/errata/RHSA-2021:1200

Comment 38 errata-xmlrpc 2021-04-14 17:57:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:1203 https://access.redhat.com/errata/RHSA-2021:1203

Comment 39 errata-xmlrpc 2021-04-14 17:58:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2021:1202 https://access.redhat.com/errata/RHSA-2021:1202


Note You need to log in before you can comment on or make changes to this bug.