Security News > 2021 > March > OpenSSL fixes severe DoS, certificate validation vulnerabilities

OpenSSL fixes severe DoS, certificate validation vulnerabilities
2021-03-25 16:44

Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products.

CVE-2021-3450: An improper Certificate Authority certificate validation vulnerability which impacts both the server and client instances.

The DoS vulnerability in OpenSSL TLS server can cause the server to crash if during the course of renegotiation the client sends a malicious ClientHello message.

The Certificate Authority certificate validation bypass vulnerability, CVE-2021-3450, has to do with the X509 V FLAG X509 STRICT flag.

The vulnerability was discovered by Xiang Ding and others at Akamai, with a fix having been developed by Tomáš Mráz. Neither vulnerabilities impact OpenSSL 1.0.2.

As reported by BleepingComputer, DHS-CISA had urged system administrators in December 2020 to patch another OpenSSL DoS vulnerability.


News URL

https://www.bleepingcomputer.com/news/security/openssl-fixes-severe-dos-certificate-validation-vulnerabilities/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-03-25 CVE-2021-3449 NULL Pointer Dereference vulnerability in multiple products
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client.
5.9
2021-03-25 CVE-2021-3450 Improper Certificate Validation vulnerability in multiple products
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain.
7.4

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 1 7 48 51 13 119