As per upstream advisory: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.
Acknowledgments: Name: the OpenSSL project Upstream: Bernd Edlinger
It seems like this flaw was caused by the commit https://github.com/openssl/openssl/commit/5235ef44b93306a14d0b6c695b13c64b16e1fdec which is a part of openssl-1.1.1d, older versions of openssl are therefore not affected by this flaw.
The OpenSSL peer loops through the through the list of "signature_algorithms_cert" received from the client and attempts to lookup each one in the internal table. When the peer sends a value which is not in the list, the lookup returns NULL, but we unconditionally dereference the lookup result for the comparison, leading to an application crash triggerable by an unauthenticated client. Since we will not be able to say anything about algorithms we don't recognize, the patch treats NULL return from lookup as "does not match". Only TLS 1.3 is affected in the code, since only "signature_algorithm_cert" is supported for TLS 1.3
Statement: This flaw was introduced by the following OpenSSL commit: https://github.com/openssl/openssl/commit/5235ef44b93306a14d0b6c695b13c64b16e1fdec which was shipped as a part of OpenSSL-1.1.1d, therefore older versions are not affected by this flaw. OpenSSL packages shipped with Red Hat Products are NOT affected by this flaw. The affected `signature_algorithm_cert` check which causes the flaw is only applied to TLS 1.3, therefore older versions of TLS are not be affected by this flaw. Also, the vulnerable `SSL_check_chain()` is not called directly from libssl, but may be used by the application inside a callback (e.g., client_hello or cert callback) to verify that a candidate certificate chain will be acceptable to the client. Thus, applications that use openssl without invoking the `SSL_check_chain()` function are not vulnerable to this flaw. Lastly, no Red Hat Middleware products ship the affected version of OpenSSL. However, some components, such as Netty and Wildfly, may be configured by customers to use any OpenSSL version. Customers who have configured their setups to use a vulnerable version of OpenSSL are advised to upgrade to the latest unaffected version immediately.
Mitigation: Applications compiled with OpenSSL >= 1.1.1d that either use openssl without invoking the `SSL_check_chain()` function or do not use TLS 1.3 are not vulnerable to this flaw.
OpenShift ServiceMesh is not vulnerable to this flaw. The component servicemesh-proxy, dynamically links to the RHEL version (RHEL 8.1, openssl-libs 1.1.1c) and does not invoke the vulnerable function, SSL_check_chain().
External References: https://www.openssl.org/news/secadv/20200421.txt
Upstream patch: https://github.com/openssl/openssl/commit/a87f3fe01a5a894aa27ccd6a239155fd129988e4 https://github.com/openssl/openssl/commit/3656c08ab4b1b892730cb5e808b6f4298b08a2e6