5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
70.9%
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello
omits the signature_algorithms extension (where it was present in the
initial ClientHello), but includes a signature_algorithms_cert extension
then a NULL pointer dereference will result, leading to a crash and a
denial of service attack. A server is only vulnerable if it has TLSv1.2 and
renegotiation enabled (which is the default configuration). OpenSSL TLS
clients are not impacted by this issue. All OpenSSL 1.1.1 versions are
affected by this issue. Users of these versions should upgrade to OpenSSL
1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL
1.1.1k (Affected 1.1.1-1.1.1j).
Author | Note |
---|---|
mdeslaur | does not affect 1.0.2 edk2 doesn’t implement a server, so not vulnerable to this issue |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | openssl | < 1.1.1-1ubuntu2.1~18.04.9 | UNKNOWN |
ubuntu | 20.04 | noarch | openssl | < 1.1.1f-1ubuntu2.3 | UNKNOWN |
ubuntu | 20.10 | noarch | openssl | < 1.1.1f-1ubuntu4.3 | UNKNOWN |
ubuntu | 21.04 | noarch | openssl | < 1.1.1j-1ubuntu3 | UNKNOWN |
ubuntu | 21.10 | noarch | openssl | < 1.1.1j-1ubuntu3 | UNKNOWN |
ubuntu | 22.04 | noarch | openssl | < 1.1.1j-1ubuntu3 | UNKNOWN |
ubuntu | 22.10 | noarch | openssl | < 1.1.1j-1ubuntu3 | UNKNOWN |
ubuntu | 23.04 | noarch | openssl | < 1.1.1j-1ubuntu3 | UNKNOWN |
ubuntu | 23.10 | noarch | openssl | < 1.1.1j-1ubuntu3 | UNKNOWN |
ubuntu | 18.04 | noarch | postgresql-10 | < 10.18-0ubuntu0.18.04.1 | UNKNOWN |
github.com/nodejs/node/pull/38083
launchpad.net/bugs/cve/CVE-2021-3449
nvd.nist.gov/vuln/detail/CVE-2021-3449
security-tracker.debian.org/tracker/CVE-2021-3449
ubuntu.com/security/notices/USN-4891-1
ubuntu.com/security/notices/USN-5038-1
www.cve.org/CVERecord?id=CVE-2021-3449
www.openssl.org/news/secadv/20210325.txt
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
70.9%