CVE-2021-3450: CA certificate check bypass with X509_V_FLAG_X509_STRICT
First published: Thu Mar 25 2021(Updated: )
OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose.
Credit: openssl-security@openssl.org openssl-security@openssl.org openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rust/openssl-src | >=111.11.0<111.15.0 | 111.15.0 |
| OpenSSL OpenSSL | >=1.1.1h<1.1.1k | |
| FreeBSD FreeBSD | =12.2 | |
| FreeBSD FreeBSD | =12.2-p1 | |
| FreeBSD FreeBSD | =12.2-p2 | |
| Netapp Santricity Smi-s Provider Firmware | ||
| Netapp Santricity Smi-s Provider | ||
| Netapp Storagegrid Firmware | ||
| Netapp Storagegrid | ||
| Windriver Linux | ||
| Windriver Linux | =17.0 | |
| Windriver Linux | =18.0 | |
| Windriver Linux | =19.0 | |
| Netapp Cloud Volumes Ontap Mediator | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp ONTAP Select Deploy administration utility | ||
| Netapp Storagegrid | ||
| Fedoraproject Fedora | =34 | |
| Tenable Nessus | <=8.13.1 | |
| Tenable Nessus Agent | >=8.2.1<=8.2.3 | |
| Tenable Nessus Network Monitor | =5.11.0 | |
| Tenable Nessus Network Monitor | =5.11.1 | |
| Tenable Nessus Network Monitor | =5.12.0 | |
| Tenable Nessus Network Monitor | =5.12.1 | |
| Tenable Nessus Network Monitor | =5.13.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Enterprise Manager For Storage Management | =13.4.0.0 | |
| Oracle GraalVM | =19.3.5 | |
| Oracle GraalVM | =20.3.1.2 | |
| Oracle GraalVM | =21.0.0.2 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.0 | |
| Oracle Jd Edwards World Security | =a9.4 | |
| Oracle Mysql Connectors | <=8.0.23 | |
| IBM Cognos Analytics | <=8.0.23 | |
| Oracle Mysql Server | <=5.7.33 | |
| Oracle Mysql Server | >=8.0.15<=8.0.23 | |
| Oracle Mysql Workbench | <=8.0.23 | |
| Oracle PeopleSoft Enterprise PeopleTools | >=8.57<=8.59 | |
| Oracle Secure Backup | <18.1.0.1.0 | |
| Oracle Secure Global Desktop | =5.6 | |
| Oracle WebLogic Server | =12.2.1.4.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 | |
| McAfee Web Gateway | =8.2.19 | |
| McAfee Web Gateway | =9.2.10 | |
| McAfee Web Gateway | =10.1.1 | |
| Mcafee Web Gateway Cloud Service | =8.2.19 | |
| Mcafee Web Gateway Cloud Service | =9.2.10 | |
| Mcafee Web Gateway Cloud Service | =10.1.1 | |
| Sonicwall Sma100 Firmware | <10.2.1.0-17sv | |
| SonicWall SMA100 | ||
| SonicWall Capture Client | <3.6.24 | |
| SonicWall Email Security | <10.0.11 | |
| SonicWall SonicOS | <=7.0.1-r1456 | |
| Nodejs Node.js | >=10.0.0<10.24.1 | |
| Nodejs Node.js | >=12.0.0<12.22.1 | |
| Nodejs Node.js | >=14.0.0<14.16.1 | |
| Nodejs Node.js | >=15.0.0<15.14.0 | |
| IBM Security Verify Bridge | <=All |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-3450
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
- https://kc.mcafee.com/corporate/index?page=content&id=SB10356
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
- https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
- https://rustsec.org/advisories/RUSTSEC-2021-0056.html
- https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
- https://security.gentoo.org/glsa/202103-03
- https://security.netapp.com/advisory/ntap-20210326-0006/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
- https://www.openssl.org/news/secadv/20210325.txt
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-05
- https://www.tenable.com/security/tns-2021-08
- https://www.tenable.com/security/tns-2021-09
- http://www.openwall.com/lists/oss-security/2021/03/27/1
- http://www.openwall.com/lists/oss-security/2021/03/27/2
- http://www.openwall.com/lists/oss-security/2021/03/28/3
- http://www.openwall.com/lists/oss-security/2021/03/28/4
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-8hfj-xrj2-pm22 (Advisory)
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/198754
- https://www.ibm.com/support/pages/node/6491653 (Advisory)
- collector/github-advisory-latest
- alias/GHSA-8hfj-xrj2-pm22
- alias/CVE-2021-3450
- collector/github-advisory
- agent/type
- agent/remedy
- agent/weakness
- agent/author
- agent/severity
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/first-publish-date
- agent/event
- agent/references
- agent/softwarecombine
- agent/description
- agent/tags
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- package-manager/rust
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/1.1.1h
- vendor/freebsd
- canonical/freebsd freebsd
- version/freebsd freebsd/12.2
- version/freebsd freebsd/12.2-p1
- version/freebsd freebsd/12.2-p2
- vendor/netapp
- canonical/netapp santricity smi-s provider firmware
- canonical/netapp santricity smi-s provider
- canonical/netapp storagegrid firmware
- canonical/netapp storagegrid
- vendor/windriver
- canonical/windriver linux
- version/windriver linux/17.0
- version/windriver linux/18.0
- version/windriver linux/19.0
- canonical/netapp cloud volumes ontap mediator
- canonical/netapp oncommand workflow automation
- canonical/netapp ontap select deploy administration utility
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- vendor/tenable
- canonical/tenable nessus
- version/tenable nessus/8.13.1
- canonical/tenable nessus agent
- version/tenable nessus agent/8.2.1
- version/tenable nessus agent/8.2.3
- canonical/tenable nessus network monitor
- version/tenable nessus network monitor/5.11.0
- version/tenable nessus network monitor/5.11.1
- version/tenable nessus network monitor/5.12.0
- version/tenable nessus network monitor/5.12.1
- version/tenable nessus network monitor/5.13.0
- vendor/oracle
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle enterprise manager for storage management
- version/oracle enterprise manager for storage management/13.4.0.0
- canonical/oracle graalvm
- version/oracle graalvm/19.3.5
- version/oracle graalvm/20.3.1.2
- version/oracle graalvm/21.0.0.2
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle jd edwards world security
- version/oracle jd edwards world security/a9.4
- canonical/oracle mysql connectors
- version/oracle mysql connectors/8.0.23
- canonical/ibm cognos analytics
- version/ibm cognos analytics/8.0.23
- canonical/oracle mysql server
- version/oracle mysql server/5.7.33
- version/oracle mysql server/8.0.15
- version/oracle mysql server/8.0.23
- canonical/oracle mysql workbench
- version/oracle mysql workbench/8.0.23
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle secure backup
- canonical/oracle secure global desktop
- version/oracle secure global desktop/5.6
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.4.0
- version/oracle weblogic server/14.1.1.0.0
- vendor/mcafee
- canonical/mcafee web gateway
- version/mcafee web gateway/8.2.19
- version/mcafee web gateway/9.2.10
- version/mcafee web gateway/10.1.1
- canonical/mcafee web gateway cloud service
- version/mcafee web gateway cloud service/8.2.19
- version/mcafee web gateway cloud service/9.2.10
- version/mcafee web gateway cloud service/10.1.1
- vendor/sonicwall
- canonical/sonicwall sma100 firmware
- canonical/sonicwall sma100
- canonical/sonicwall capture client
- canonical/sonicwall email security
- canonical/sonicwall sonicos
- version/sonicwall sonicos/7.0.1-r1456
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/10.0.0
- version/nodejs node.js/12.0.0
- version/nodejs node.js/14.0.0
- version/nodejs node.js/15.0.0
- vendor/ibm
- canonical/ibm security verify bridge
- version/ibm security verify bridge/all