CVE-2021-3449

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

CVSS v2.0 4.3

4.3^/10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

CVSS v3.0 5.9 MEDIUM

5.9^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148	Mailing List Patch
https://www.openssl.org/news/secadv/20210325.txt	Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd	Third Party Advisory
https://www.debian.org/security/2021/dsa-4875	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210326-0006/	Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc	Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/27/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/27/2	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/28/3	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/28/4	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202103-03	Third Party Advisory
https://www.tenable.com/security/tns-2021-06	Third Party Advisory
https://www.tenable.com/security/tns-2021-05	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/	Mailing List Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10356	Third Party Advisory
https://www.tenable.com/security/tns-2021-09	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210513-0002/	Third Party Advisory
https://www.tenable.com/security/tns-2021-10	Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf	Patch Third Party Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845	Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html	Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

Configurations

Configuration 1

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:freebsd:freebsd:12.2:p1:*:*:*:*:*:*

cpe:2.3:o:freebsd:freebsd:12.2:p2:*:*:*:*:*:*

cpe:2.3:o:freebsd:freebsd:12.2:-:*:*:*:*:*:*

cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:cloud_volumes_ontap_mediator:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*

cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*

cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:*

cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:*

cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:*

cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:*

cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:*

cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway_cloud_service:10.1.1:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway_cloud_service:9.2.10:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway_cloud_service:8.2.19:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway:10.1.1:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway:9.2.10:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway:8.2.19:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:sonicwall:capture_client:3.5:*:*:*:*:*:*:*

cpe:2.3:o:sonicwall:sonicos:7.0.1.0:*:*:*:*:*:*:*

cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*

cpe:2.3:a:siemens:sinema_server:14.0:sp2_update1:*:*:*:*:*:*

cpe:2.3:a:siemens:sinema_server:14.0:sp1:*:*:*:*:*:*

cpe:2.3:a:siemens:sinema_server:14.0:sp2:*:*:*:*:*:*

cpe:2.3:a:siemens:sinema_server:14.0:-:*:*:*:*:*:*

cpe:2.3:a:siemens:simatic_logon:*:*:*:*:*:*:*:*

cpe:2.3:a:siemens:simatic_logon:1.5:sp3_update_1:*:*:*:*:*:*

cpe:2.3:a:siemens:simatic_wincc_telecontrol:-:*:*:*:*:*:*:*

cpe:2.3:a:siemens:sinec_nms:1.0:sp1:*:*:*:*:*:*

cpe:2.3:a:siemens:sinec_nms:1.0:-:*:*:*:*:*:*

cpe:2.3:a:siemens:sinec_pni:-:*:*:*:*:*:*:*

cpe:2.3:a:siemens:tia_administrator:*:*:*:*:*:*:*:*

cpe:2.3:a:siemens:sinema_server:14.0:sp2_update2:*:*:*:*:*:*

cpe:2.3:a:siemens:sinumerik_opc_ua_server:*:*:*:*:*:*:*:*

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

History

24 Jan 2023, 16:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:predictapp_project:predictapp::::::::
References	~~(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 -~~	(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/abhilash1985/PredictApp/pull/73 -~~	(MISC) https://github.com/abhilash1985/PredictApp/pull/73 - Patch, Third Party Advisory
References	~~(MISC) https://vuldb.com/?id.218387 -~~	(MISC) https://vuldb.com/?id.218387 - Third Party Advisory
References	~~(MISC) https://vuldb.com/?ctiid.218387 -~~	(MISC) https://vuldb.com/?ctiid.218387 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Predictapp Project predictapp Predictapp Project

16 Jan 2023, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-03-25 03:15

Updated : 2022-08-29 08:27

NVD link : CVE-2021-3449

Mitre link : CVE-2021-3449

Products Affected

Nessus Network Monitor

Tenable

CWE

CWE-476

CVE-2021-3449

4.3 /10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

5.9 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3^/10

5.9^/10