CVE-2021-3449

MEDIUM5.9EPSS 9.9%

NULL pointer deref in signature_algorithms processing

發布日:2021/8/25修改日:2024/12/16

也稱為:GHSA-83mx-573x-5rw9ALPINE-CVE-2021-3449BIT-node-2021-3449BIT-node-min-2021-3449RUSTSEC-2021-0055

描述

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue.

受影響套件(8)

Alpine/opensslfrom 0, < 1.1.1k-r0
Alpine/openssl3from 0, < 1.1.1k-r0
Bitnami/node>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.1, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.1, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.16.1, >= 15.0.0, < 15.14.0
Bitnami/node-min>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.1, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.1, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.16.1, >= 15.0.0, < 15.14.0
crates.io/openssl-src>= 0.0.0-0, < 111.15.0
crates.io/openssl-srcfrom 0, < 111.15.0
Debian/opensslfrom 0, < 1.1.1d-0+deb10u6
Debian/opensslfrom 0, < 1.1.1k-1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

描述

受影響套件(8)

CVSS 分數

參考連結(40)