Security News > 2021 > March > OpenSSL shuts down two high-severity bugs: Flaws enable cert shenanigans, denial-of-service attacks

Two high-severity vulnerabilities in the OpenSSL software library were disclosed on Thursday alongside the release of a patched version of the software, OpenSSL 1.1.1k. OpenSSL is widely used to implement the Transport Layer Security and Secure Sockets Layer protocols, which support encrypted network connections.

"In order to be affected, an application must explicitly set the X509 V FLAG X509 STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose," the OpenSSL advisory explains.

He told us he is now a full time contractor at OpenSSL Software Services, i.e - one of the core OpenSSL developers.

The second flaw, a null pointer dereference, has the potential to crash an OpenSSL server with a maliciously crafted renegotiation ClientHello message.

"If a TLSv1.2 renegotiation ClientHello omits the signature algorithms extension, but includes a signature algorithms cert extension then a null pointer dereference will result, leading to a crash and a denial of service attack," the advisory explains.

All previous OpenSSL 1.1.1 versions are affected, so those upgrading their software should use the newly issued OpenSSL 1.1.1k, which incorporates a fix developed by Peter Kästle and Samuel Sapalski from Nokia.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/03/25/openssl_bug_fix/