OpenSSL 1.1.1k Update Addresses Two Critical Vulnerabilities

A patch release for the OpenSSL 1.1.1k cryptographic library is now available, resolving two high-severity vulnerabilities:

  • CVE-2021-3450 – a potential bypass of the certificate authority's certificate validation when the X509_V_FLAG_X509_STRICT flag is enabled, which is turned off by default and is used for additional checks for certificate presence in the chain. This issue was introduced in the new validation implemented in OpenSSL 1.1.1h, which prohibits the use of certificates in the chain that have explicitly encoded elliptic curve parameters.

    Due to a coding error, the new check was overriding the results of a previously executed validation of the certificate from the certificate authority. As a result, certificates signed with a self-signed certificate that is not chain-trusted by the authority were treated as fully trustworthy. The vulnerability does not manifest when the 'purpose' parameter, which is set by default in the client and server certificate validation procedures in libssl (used for TLS), is established.

  • CVE-2021-3449 — potential crash trigger server TLS through sending a specially crafted ClientHello message by the client. The issue is related to dereferencing a NULL pointer in the implementation of the signature_algorithms extension. The problem only manifests on servers with TLSv1.2 support and connection renegotiation enabled (default setting).

Source: opennet.ru

Purchase reliable hosting with DDoS protection, VPS VDS servers 🔥 Get reliable hosting with DDoS protection, VPS VDS servers | ProHoster