Lucene search

[email protected]NVD:CVE-2021-3450

HistoryMar 25, 2021 - 3:15 p.m.

CVE-2021-3450

2021-03-2515:15:13

CWE-295

[email protected]

web.nvd.nist.gov

x509_v_flag_x509_strict

openssl

certificate chain

security checks

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.002

Percentile

61.4%

JSON

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a “purpose” has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named “purpose” values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

Affected configurations

Nvd

Node

opensslopensslRange1.1.1h–1.1.1k

Node

freebsdfreebsdMatch12.2-

freebsdfreebsdMatch12.2p1

freebsdfreebsdMatch12.2p2

Node

netappsantricity_smi-s_provider_firmwareMatch-

AND

netappsantricity_smi-s_providerMatch-

Node

netappstoragegrid_firmwareMatch-

AND

netappstoragegridMatch-

Node

windriverlinuxMatch-cd

windriverlinuxMatch17.0lts

windriverlinuxMatch18.0lts

windriverlinuxMatch19.0lts

Node

netappcloud_volumes_ontap_mediatorMatch-

netapponcommand_workflow_automationMatch-

netappontap_select_deploy_administration_utilityMatch-

netappstoragegridMatch-

Node

fedoraprojectfedoraMatch34

Node

tenablenessusRange≤8.13.1

tenablenessus_agentRange8.2.1–8.2.3

tenablenessus_network_monitorMatch5.11.0

tenablenessus_network_monitorMatch5.11.1

tenablenessus_network_monitorMatch5.12.0

tenablenessus_network_monitorMatch5.12.1

tenablenessus_network_monitorMatch5.13.0

Node

oraclecommerce_guided_searchMatch11.3.2

oracleenterprise_manager_for_storage_managementMatch13.4.0.0

oraclegraalvmMatch19.3.5enterprise

oraclegraalvmMatch20.3.1.2enterprise

oraclegraalvmMatch21.0.0.2enterprise

oraclejd_edwards_enterpriseone_toolsRange<9.2.6.0

oraclejd_edwards_world_securityMatcha9.4

oraclemysql_connectorsRange≤8.0.23

oraclemysql_enterprise_monitorRange≤8.0.23

oraclemysql_serverRange≤5.7.33

oraclemysql_serverRange8.0.15–8.0.23

oraclemysql_workbenchRange≤8.0.23

oraclepeoplesoft_enterprise_peopletoolsRange8.57–8.59

oraclesecure_backupRange<18.1.0.1.0

oraclesecure_global_desktopMatch5.6

oracleweblogic_serverMatch12.2.1.4.0

oracleweblogic_serverMatch14.1.1.0.0

Node

mcafeeweb_gatewayMatch8.2.19

mcafeeweb_gatewayMatch9.2.10

mcafeeweb_gatewayMatch10.1.1

mcafeeweb_gateway_cloud_serviceMatch8.2.19

mcafeeweb_gateway_cloud_serviceMatch9.2.10

mcafeeweb_gateway_cloud_serviceMatch10.1.1

Node

sonicwallsma100_firmwareRange<10.2.1.0-17sv

AND

sonicwallsma100Match-

Node

sonicwallcapture_clientRange<3.6.24

sonicwallemail_securityRange<10.0.11

sonicwallsonicosRange≤7.0.1-r1456

Node

nodejsnode.jsRange10.0.0–10.24.1-

nodejsnode.jsRange12.0.0–12.22.1-

nodejsnode.jsRange14.0.0–14.16.1-

nodejsnode.jsRange15.0.0–15.14.0-

VendorProductVersionCPE
opensslopenssl*cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
freebsdfreebsd12.2cpe:2.3:o:freebsd:freebsd:12.2:-:*:*:*:*:*:*
freebsdfreebsd12.2cpe:2.3:o:freebsd:freebsd:12.2:p1:*:*:*:*:*:*
freebsdfreebsd12.2cpe:2.3:o:freebsd:freebsd:12.2:p2:*:*:*:*:*:*
netappsantricity_smi-s_provider_firmware-cpe:2.3:o:netapp:santricity_smi-s_provider_firmware:-:*:*:*:*:*:*:*
netappsantricity_smi-s_provider-cpe:2.3:h:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*
netappstoragegrid_firmware-cpe:2.3:o:netapp:storagegrid_firmware:-:*:*:*:*:*:*:*
netappstoragegrid-cpe:2.3:h:netapp:storagegrid:-:*:*:*:*:*:*:*
windriverlinux-cpe:2.3:o:windriver:linux:-:*:*:*:cd:*:*:*
windriverlinux17.0cpe:2.3:o:windriver:linux:17.0:*:*:*:lts:*:*:*

Vendor	Product	Version	CPE
openssl	openssl	*	cpe:2.3:a:openssl:openssl::::::::
freebsd	freebsd	12.2	cpe:2.3:o:freebsd:freebsd:12.2:-::::::
freebsd	freebsd	12.2	cpe:2.3:o:freebsd:freebsd:12.2:p1::::::
freebsd	freebsd	12.2	cpe:2.3:o:freebsd:freebsd:12.2:p2::::::
netapp	santricity_smi-s_provider_firmware	-	cpe:2.3:o:netapp:santricity_smi-s_provider_firmware:-:::::::*
netapp	santricity_smi-s_provider	-	cpe:2.3:h:netapp:santricity_smi-s_provider:-:::::::*
netapp	storagegrid_firmware	-	cpe:2.3:o:netapp:storagegrid_firmware:-:::::::*
netapp	storagegrid	-	cpe:2.3:h:netapp:storagegrid:-:::::::*
windriver	linux	-	cpe:2.3:o:windriver:linux:-::::cd:::
windriver	linux	17.0	cpe:2.3:o:windriver:linux:17.0::::lts:::