Home > Vulnerability Database > CVE-2021-3449

Mend.io Vulnerability Database

CVE-2021-3449

Good to know:

Date: March 25, 2021

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Language: C

Severity Score

5.9

Related Resources (34)

Url: https://kc.mcafee.com/corporate/index?page=content&id=SB10356

Url: https://www.oracle.com/security-alerts/cpuApr2021.html

Url: https://security.gentoo.org/glsa/202103-03

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/

Url: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd

Url: http://www.openwall.com/lists/oss-security/2021/03/27/2

Url: http://www.openwall.com/lists/oss-security/2021/03/27/1

Url: https://www.tenable.com/security/tns-2021-06

Url: http://www.openwall.com/lists/oss-security/2021/03/28/3

Url: https://www.tenable.com/security/tns-2021-05

Url: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845

Url: http://www.openwall.com/lists/oss-security/2021/03/28/4

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-3449

Url: https://www.openssl.org/news/secadv/20210325.txt

Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148

Url: https://www.oracle.com/security-alerts/cpuapr2022.html

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://security.alpinelinux.org/vuln/CVE-2021-3449

Url: https://security.netapp.com/advisory/ntap-20210513-0002/

Url: https://www.debian.org/security/2021/dsa-4875

Url: https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc

Url: https://www.tenable.com/security/tns-2021-10

Url: https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf

Url: https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html

Url: https://access.redhat.com/security/cve/CVE-2021-3449

Url: https://security.netapp.com/advisory/ntap-20210326-0006/

Url: https://www.tenable.com/security/tns-2021-09

Url: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013

Url: https://security-tracker.debian.org/tracker/CVE-2021-3449

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3449

Url: https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Url: https://www.oracle.com//security-alerts/cpujul2021.html

Url: https://www.oracle.com/security-alerts/cpujul2022.html

Url: https://www.mend.io/vulnerability-database/CVE-2021-3449

Severity Score

5.9

Weakness Type (CWE)

NULL Pointer Dereference

CWE-476

Top Fix

Upgrade Version

Upgrade to version 1.1.1k

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-3449

Good to know:

Date: March 25, 2021

Language: C

Severity Score

Related Resources (34)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?