Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-3449

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Published

2021-03-25T15:15:13.450

Last Modified

2024-11-21T06:21:33.050

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-476

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openssl	openssl	< 1.1.1k	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	freebsd	freebsd	12.2	Yes
Operating System	freebsd	freebsd	12.2	Yes
Operating System	freebsd	freebsd	12.2	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	cloud_volumes_ontap_mediator	-	Yes
Application	netapp	e-series_performance_analyzer	-	Yes
Application	netapp	oncommand_insight	-	Yes
Application	netapp	oncommand_workflow_automation	-	Yes
Application	netapp	ontap_select_deploy_administration_utility	-	Yes
Application	netapp	santricity_smi-s_provider	-	Yes
Application	netapp	snapcenter	-	Yes
Application	netapp	storagegrid	-	Yes
Application	tenable	log_correlation_engine	< 6.0.9	Yes
Application	tenable	nessus	≤ 8.13.1	Yes
Application	tenable	nessus_network_monitor	5.11.0	Yes
Application	tenable	nessus_network_monitor	5.11.1	Yes
Application	tenable	nessus_network_monitor	5.12.0	Yes
Application	tenable	nessus_network_monitor	5.12.1	Yes
Application	tenable	nessus_network_monitor	5.13.0	Yes
Application	tenable	tenable.sc	≤ 5.17.0	Yes
Operating System	fedoraproject	fedora	34	Yes
Application	mcafee	web_gateway	8.2.19	Yes
Application	mcafee	web_gateway	9.2.10	Yes
Application	mcafee	web_gateway	10.1.1	Yes
Application	mcafee	web_gateway_cloud_service	8.2.19	Yes
Application	mcafee	web_gateway_cloud_service	9.2.10	Yes
Application	mcafee	web_gateway_cloud_service	10.1.1	Yes
Operating System	checkpoint	quantum_security_management_firmware	r80.40	Yes
Operating System	checkpoint	quantum_security_management_firmware	r81	Yes
Hardware	checkpoint	quantum_security_management	-	No
Operating System	checkpoint	multi-domain_management_firmware	r80.40	Yes
Operating System	checkpoint	multi-domain_management_firmware	r81	Yes
Hardware	checkpoint	multi-domain_management	-	No
Operating System	checkpoint	quantum_security_gateway_firmware	r80.40	Yes
Operating System	checkpoint	quantum_security_gateway_firmware	r81	Yes
Hardware	checkpoint	quantum_security_gateway	-	No
Application	oracle	communications_communications_policy_management	12.6.0.0.0	Yes
Application	oracle	enterprise_manager_for_storage_management	13.4.0.0	Yes
Application	oracle	essbase	21.2	Yes
Application	oracle	graalvm	19.3.5	Yes
Application	oracle	graalvm	20.3.1.2	Yes
Application	oracle	graalvm	21.0.0.2	Yes
Application	oracle	jd_edwards_enterpriseone_tools	< 9.2.6.0	Yes
Application	oracle	jd_edwards_world_security	a9.4	Yes
Application	oracle	mysql_connectors	≤ 8.0.23	Yes
Application	oracle	mysql_server	≤ 5.7.33	Yes
Application	oracle	mysql_server	≤ 8.0.23	Yes
Application	oracle	mysql_workbench	≤ 8.0.23	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.57	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	primavera_unifier	≤ 17.12	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	primavera_unifier	20.12	Yes
Application	oracle	primavera_unifier	21.12	Yes
Application	oracle	secure_backup	< 18.1.0.1.0	Yes
Application	oracle	secure_global_desktop	5.6	Yes
Application	oracle	zfs_storage_appliance_kit	8.8	Yes
Operating System	sonicwall	sma100_firmware	< 10.2.1.0-17sv	Yes
Hardware	sonicwall	sma100	-	No
Application	sonicwall	capture_client	3.5	Yes
Operating System	sonicwall	sonicos	7.0.1.0	Yes
Operating System	siemens	ruggedcom_rcm1224_firmware	≥ 6.2	Yes
Hardware	siemens	ruggedcom_rcm1224	-	No
Operating System	siemens	scalance_lpe9403_firmware	*	Yes
Hardware	siemens	scalance_lpe9403	-	No
Operating System	siemens	scalance_m-800_firmware	≥ 6.2	Yes
Hardware	siemens	scalance_m-800	-	No
Operating System	siemens	scalance_s602_firmware	≥ 4.1	Yes
Hardware	siemens	scalance_s602	-	No
Operating System	siemens	scalance_s612_firmware	≥ 4.1	Yes
Hardware	siemens	scalance_s612	-	No
Operating System	siemens	scalance_s615_firmware	≥ 6.2	Yes
Hardware	siemens	scalance_s615	-	No
Operating System	siemens	scalance_s623_firmware	≥ 4.1	Yes
Hardware	siemens	scalance_s623	-	No
Operating System	siemens	scalance_s627-2m_firmware	≥ 4.1	Yes
Hardware	siemens	scalance_s627-2m	-	No
Operating System	siemens	scalance_sc-600_firmware	≥ 2.0	Yes
Hardware	siemens	scalance_sc-600	-	No
Operating System	siemens	scalance_w700_firmware	≥ 6.5	Yes
Hardware	siemens	scalance_w700	-	No
Operating System	siemens	scalance_w1700_firmware	≥ 2.0	Yes
Hardware	siemens	scalance_w1700	-	No
Operating System	siemens	scalance_xb-200_firmware	< 4.3	Yes
Hardware	siemens	scalance_xb-200	-	No
Operating System	siemens	scalance_xc-200_firmware	< 4.3	Yes
Hardware	siemens	scalance_xc-200	-	No
Operating System	siemens	scalance_xf-200ba_firmware	< 4.3	Yes
Hardware	siemens	scalance_xf-200ba	-	No
Operating System	siemens	scalance_xm-400_firmware	< 6.4	Yes
Hardware	siemens	scalance_xm-400	-	No
Operating System	siemens	scalance_xp-200_firmware	< 4.3	Yes
Hardware	siemens	scalance_xp-200	-	No
Operating System	siemens	scalance_xr-300wg_firmware	< 4.3	Yes
Hardware	siemens	scalance_xr-300wg	-	No
Operating System	siemens	scalance_xr524-8c_firmware	< 6.4	Yes
Hardware	siemens	scalance_xr524-8c	-	No
Operating System	siemens	scalance_xr526-8c_firmware	< 6.4	Yes
Hardware	siemens	scalance_xr526-8c	-	No
Operating System	siemens	scalance_xr528-6m_firmware	< 6.4	Yes
Hardware	siemens	scalance_xr528-6m	-	No
Operating System	siemens	scalance_xr552-12_firmware	< 6.4	Yes
Hardware	siemens	scalance_xr552-12	-	No
Operating System	siemens	simatic_cloud_connect_7_firmware	≥ 1.1	Yes
Operating System	siemens	simatic_cloud_connect_7_firmware	-	Yes
Hardware	siemens	simatic_cloud_connect_7	-	No
Operating System	siemens	simatic_cp_1242-7_gprs_v2_firmware	≥ 3.1	Yes
Operating System	siemens	simatic_cp_1242-7_gprs_v2_firmware	-	Yes
Hardware	siemens	simatic_cp_1242-7_gprs_v2	-	No
Operating System	siemens	simatic_hmi_basic_panels_2nd_generation_firmware	*	Yes
Hardware	siemens	simatic_hmi_basic_panels_2nd_generation	-	No
Operating System	siemens	simatic_hmi_comfort_outdoor_panels_firmware	*	Yes
Hardware	siemens	simatic_hmi_comfort_outdoor_panels	-	No
Operating System	siemens	simatic_hmi_ktp_mobile_panels_firmware	*	Yes
Hardware	siemens	simatic_hmi_ktp_mobile_panels	-	No
Operating System	siemens	simatic_mv500_firmware	*	Yes
Hardware	siemens	simatic_mv500	-	No
Operating System	siemens	simatic_net_cp_1243-1_firmware	≥ 3.1	Yes
Hardware	siemens	simatic_net_cp_1243-1	-	No
Operating System	siemens	simatic_net_cp1243-7_lte_eu_firmware	≥ 3.1	Yes
Hardware	siemens	simatic_net_cp1243-7_lte_eu	-	No
Operating System	siemens	simatic_net_cp1243-7_lte_us_firmware	≥ 3.1	Yes
Hardware	siemens	simatic_net_cp1243-7_lte_us	-	No
Operating System	siemens	simatic_net_cp_1243-8_irc_firmware	≥ 3.1	Yes
Hardware	siemens	simatic_net_cp_1243-8_irc	-	No
Operating System	siemens	simatic_net_cp_1542sp-1_irc_firmware	≥ 2.1	Yes
Hardware	siemens	simatic_net_cp_1542sp-1_irc	-	No
Operating System	siemens	simatic_net_cp_1543-1_firmware	< 3.0	Yes
Hardware	siemens	simatic_net_cp_1543-1	-	No
Operating System	siemens	simatic_net_cp_1543sp-1_firmware	≥ 2.1	Yes
Hardware	siemens	simatic_net_cp_1543sp-1	-	No
Operating System	siemens	simatic_net_cp_1545-1_firmware	≥ 1.0	Yes
Hardware	siemens	simatic_net_cp_1545-1	-	No
Operating System	siemens	simatic_pcs_7_telecontrol_firmware	*	Yes
Hardware	siemens	simatic_pcs_7_telecontrol	-	No
Operating System	siemens	simatic_pcs_neo_firmware	*	Yes
Hardware	siemens	simatic_pcs_neo	-	No
Operating System	siemens	simatic_pdm_firmware	≥ 9.1.0.7	Yes
Hardware	siemens	simatic_pdm	-	No
Operating System	siemens	simatic_process_historian_opc_ua_server_firmware	≥ 2019	Yes
Hardware	siemens	simatic_process_historian_opc_ua_server	-	No
Operating System	siemens	simatic_rf166c_firmware	*	Yes
Hardware	siemens	simatic_rf166c	-	No
Operating System	siemens	simatic_rf185c_firmware	*	Yes
Hardware	siemens	simatic_rf185c	-	No
Operating System	siemens	simatic_rf186c_firmware	*	Yes
Hardware	siemens	simatic_rf186c	-	No
Operating System	siemens	simatic_rf186ci_firmware	*	Yes
Hardware	siemens	simatic_rf186ci	-	No
Operating System	siemens	simatic_rf188c_firmware	*	Yes
Hardware	siemens	simatic_rf188c	-	No
Operating System	siemens	simatic_rf188ci_firmware	*	Yes
Hardware	siemens	simatic_rf188ci	-	No
Operating System	siemens	simatic_rf360r_firmware	*	Yes
Hardware	siemens	simatic_rf360r	-	No
Operating System	siemens	simatic_s7-1200_cpu_1211c_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1211c	-	No
Operating System	siemens	simatic_s7-1200_cpu_1212c_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1212c	-	No
Operating System	siemens	simatic_s7-1200_cpu_1212fc_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1212fc	-	No
Operating System	siemens	simatic_s7-1200_cpu_1214_fc_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1214_fc	-	No
Operating System	siemens	simatic_s7-1200_cpu_1214c_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1214c	-	No
Operating System	siemens	simatic_s7-1200_cpu_1214_fc_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1214_fc	-	No
Operating System	siemens	simatic_s7-1200_cpu_1215_fc_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1215_fc	-	No
Operating System	siemens	simatic_s7-1200_cpu_1215c_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1215c	-	No
Operating System	siemens	simatic_s7-1200_cpu_1217c_firmware	*	Yes
Hardware	siemens	simatic_s7-1200_cpu_1217c	-	No
Operating System	siemens	simatic_s7-1500_cpu_1518-4_pn\/dp_mfp_firmware	*	Yes
Hardware	siemens	simatic_s7-1500_cpu_1518-4_pn\/dp_mfp	-	No
Operating System	siemens	sinamics_connect_300_firmware	*	Yes
Hardware	siemens	sinamics_connect_300	-	No
Operating System	siemens	tim_1531_irc_firmware	< 2.2	Yes
Hardware	siemens	tim_1531_irc	-	No
Application	siemens	simatic_logon	≥ 1.6.0.2	Yes
Application	siemens	simatic_logon	1.5	Yes
Application	siemens	simatic_wincc_runtime_advanced	*	Yes
Application	siemens	simatic_wincc_telecontrol	-	Yes
Application	siemens	sinec_nms	1.0	Yes
Application	siemens	sinec_nms	1.0	Yes
Application	siemens	sinec_pni	-	Yes
Application	siemens	sinema_server	14.0	Yes
Application	siemens	sinema_server	14.0	Yes
Application	siemens	sinema_server	14.0	Yes
Application	siemens	sinema_server	14.0	Yes
Application	siemens	sinema_server	14.0	Yes
Application	siemens	sinumerik_opc_ua_server	*	Yes
Application	siemens	tia_administrator	*	Yes
Application	siemens	sinec_infrastructure_network_services	< 1.0.1.1	Yes
Application	nodejs	node.js	≤ 10.12.0	Yes
Application	nodejs	node.js	≤ 10.24.0	Yes
Application	nodejs	node.js	≤ 12.12.0	Yes
Application	nodejs	node.js	< 12.22.1	Yes
Application	nodejs	node.js	≤ 14.14.0	Yes
Application	nodejs	node.js	< 14.16.1	Yes
Application	nodejs	node.js	< 15.14.0	Yes

References

http://www.openwall.com/lists/oss-security/2021/03/27/1 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/03/27/2 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/03/28/3 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/03/28/4 Mailing List, Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf Patch, Third Party Advisory ([email protected])
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148 ([email protected])
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845 Third Party Advisory ([email protected])
https://kc.mcafee.com/corporate/index?page=content&id=SB10356 Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/ ([email protected])
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013 Third Party Advisory ([email protected])
https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202103-03 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20210326-0006/ Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20210513-0002/ Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20240621-0006/ ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd Third Party Advisory ([email protected])
https://www.debian.org/security/2021/dsa-4875 Third Party Advisory ([email protected])
https://www.openssl.org/news/secadv/20210325.txt Vendor Advisory ([email protected])
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuApr2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2021-05 Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2021-06 Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2021-09 Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2021-10 Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/03/27/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/03/27/2 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/03/28/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/03/28/4 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148 (af854a3a-2127-422b-91ae-364da2661108)
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://kc.mcafee.com/corporate/index?page=content&id=SB10356 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/ (af854a3a-2127-422b-91ae-364da2661108)
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202103-03 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20210326-0006/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20210513-0002/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20240621-0006/ (af854a3a-2127-422b-91ae-364da2661108)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-4875 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.openssl.org/news/secadv/20210325.txt Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuApr2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2021-05 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2021-06 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2021-09 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2021-10 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)