CVE-2021-3450: CA certificate check bypass with X509_V_FLAG_X509_STRICT
First published: Thu Mar 25 2021(Updated: )
OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose.
Credit: openssl-security@openssl.org openssl-security@openssl.org openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rust/openssl-src | >=111.11.0<111.15.0 | 111.15.0 |
| IBM Security Verify Bridge | <=All | |
| OpenSSL libcrypto | >=1.1.1h<1.1.1k | |
| FreeBSD FreeBSD | =12.2 | |
| FreeBSD FreeBSD | =12.2-p1 | |
| FreeBSD FreeBSD | =12.2-p2 | |
| netapp santricity smi-s provider firmware | ||
| netapp santricity smi-s provider | ||
| NetApp StorageGRID Webscale | ||
| netapp storagegrid | ||
| windriver linux | ||
| windriver linux | =17.0 | |
| windriver linux | =18.0 | |
| windriver linux | =19.0 | |
| netapp cloud volumes ontap mediator | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp ONTAP Select Deploy | ||
| netapp storagegrid | ||
| Fedora | =34 | |
| Tenable Nessus | <=8.13.1 | |
| tenable nessus agent | >=8.2.1<=8.2.3 | |
| Tenable Nessus Network Monitor | =5.11.0 | |
| Tenable Nessus Network Monitor | =5.11.1 | |
| Tenable Nessus Network Monitor | =5.12.0 | |
| Tenable Nessus Network Monitor | =5.12.1 | |
| Tenable Nessus Network Monitor | =5.13.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| oracle enterprise manager for storage management | =13.4.0.0 | |
| Oracle GraalVM Enterprise Edition | =19.3.5 | |
| Oracle GraalVM Enterprise Edition | =20.3.1.2 | |
| Oracle GraalVM Enterprise Edition | =21.0.0.2 | |
| Oracle JD Edwards EnterpriseOne Tools | <9.2.6.0 | |
| oracle jd edwards world security | =a9.4 | |
| Oracle MySQL Connectors | <=8.0.23 | |
| MySQL Enterprise Monitor | <=8.0.23 | |
| MySQL | <=5.7.33 | |
| MySQL | >=8.0.15<=8.0.23 | |
| oracle mysql workbench | <=8.0.23 | |
| Oracle PeopleSoft Enterprise PeopleTools | >=8.57<=8.59 | |
| Oracle Secure Backup | <18.1.0.1.0 | |
| Oracle Secure Global Desktop | =5.6 | |
| Oracle WebLogic Server | =12.2.1.4.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 | |
| McAfee Web Gateway | =8.2.19 | |
| McAfee Web Gateway | =9.2.10 | |
| McAfee Web Gateway | =10.1.1 | |
| mcafee web gateway cloud service | =8.2.19 | |
| mcafee web gateway cloud service | =9.2.10 | |
| mcafee web gateway cloud service | =10.1.1 | |
| sonicwall sma100 firmware | <10.2.1.0-17sv | |
| SonicWall SMA 100 | ||
| SonicWall Capture Client | <3.6.24 | |
| SonicWall Email Security | <10.0.11 | |
| SonicWall SonicOS | <=7.0.1-r1456 | |
| Node.js | >=10.0.0<10.24.1 | |
| Node.js | >=12.0.0<12.22.1 | |
| Node.js | >=14.0.0<14.16.1 | |
| Node.js | >=15.0.0<15.14.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-3450
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
- https://kc.mcafee.com/corporate/index?page=content&id=SB10356
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
- https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
- https://rustsec.org/advisories/RUSTSEC-2021-0056.html
- https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
- https://security.gentoo.org/glsa/202103-03
- https://security.netapp.com/advisory/ntap-20210326-0006/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
- https://www.openssl.org/news/secadv/20210325.txt
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-05
- https://www.tenable.com/security/tns-2021-08
- https://www.tenable.com/security/tns-2021-09
- http://www.openwall.com/lists/oss-security/2021/03/27/1
- http://www.openwall.com/lists/oss-security/2021/03/27/2
- http://www.openwall.com/lists/oss-security/2021/03/28/3
- http://www.openwall.com/lists/oss-security/2021/03/28/4
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-8hfj-xrj2-pm22 (Advisory)
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/198754
- https://www.ibm.com/support/pages/node/6491653 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2021-3450?
CVE-2021-3450 is classified as critical due to its potential to allow remote attackers to bypass security restrictions.
How do I fix CVE-2021-3450?
To fix CVE-2021-3450, update OpenSSL to version 1.1.1k or higher, or apply patches provided by software vendors utilizing the affected libraries.
What systems are affected by CVE-2021-3450?
CVE-2021-3450 affects various versions of OpenSSL prior to 1.1.1k, and systems including IBM Security Verify Bridge and multiple embedded Linux distributions.
What type of vulnerability is CVE-2021-3450?
CVE-2021-3450 is an authentication bypass vulnerability that stems from a missing check in the validation logic of X.509 certificate chains.
Can CVE-2021-3450 be exploited remotely?
Yes, CVE-2021-3450 can be exploited remotely by attackers who manage to sign a specially crafted certificate.
- collector/github-advisory-latest
- alias/GHSA-8hfj-xrj2-pm22
- alias/CVE-2021-3450
- collector/github-advisory
- agent/type
- agent/remedy
- agent/weakness
- agent/author
- agent/severity
- agent/title
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-cve
- package-manager/rust
- vendor/ibm
- canonical/ibm security verify bridge
- version/ibm security verify bridge/all
- vendor/openssl
- canonical/openssl libcrypto
- version/openssl libcrypto/1.1.1h
- vendor/freebsd
- canonical/freebsd freebsd
- version/freebsd freebsd/12.2
- version/freebsd freebsd/12.2-p1
- version/freebsd freebsd/12.2-p2
- vendor/netapp
- canonical/netapp santricity smi-s provider firmware
- canonical/netapp santricity smi-s provider
- canonical/netapp storagegrid webscale
- canonical/netapp storagegrid
- vendor/windriver
- canonical/windriver linux
- version/windriver linux/17.0
- version/windriver linux/18.0
- version/windriver linux/19.0
- canonical/netapp cloud volumes ontap mediator
- canonical/netapp oncommand workflow automation
- canonical/netapp ontap select deploy
- vendor/fedoraproject
- canonical/fedora
- version/fedora/34
- vendor/tenable
- canonical/tenable nessus
- version/tenable nessus/8.13.1
- canonical/tenable nessus agent
- version/tenable nessus agent/8.2.1
- version/tenable nessus agent/8.2.3
- canonical/tenable nessus network monitor
- version/tenable nessus network monitor/5.11.0
- version/tenable nessus network monitor/5.11.1
- version/tenable nessus network monitor/5.12.0
- version/tenable nessus network monitor/5.12.1
- version/tenable nessus network monitor/5.13.0
- vendor/oracle
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle enterprise manager for storage management
- version/oracle enterprise manager for storage management/13.4.0.0
- canonical/oracle graalvm enterprise edition
- version/oracle graalvm enterprise edition/19.3.5
- version/oracle graalvm enterprise edition/20.3.1.2
- version/oracle graalvm enterprise edition/21.0.0.2
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle jd edwards world security
- version/oracle jd edwards world security/a9.4
- canonical/oracle mysql connectors
- version/oracle mysql connectors/8.0.23
- canonical/mysql enterprise monitor
- version/mysql enterprise monitor/8.0.23
- canonical/mysql
- version/mysql/5.7.33
- version/mysql/8.0.15
- version/mysql/8.0.23
- canonical/oracle mysql workbench
- version/oracle mysql workbench/8.0.23
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle secure backup
- canonical/oracle secure global desktop
- version/oracle secure global desktop/5.6
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.4.0
- version/oracle weblogic server/14.1.1.0.0
- vendor/mcafee
- canonical/mcafee web gateway
- version/mcafee web gateway/8.2.19
- version/mcafee web gateway/9.2.10
- version/mcafee web gateway/10.1.1
- canonical/mcafee web gateway cloud service
- version/mcafee web gateway cloud service/8.2.19
- version/mcafee web gateway cloud service/9.2.10
- version/mcafee web gateway cloud service/10.1.1
- vendor/sonicwall
- canonical/sonicwall sma100 firmware
- canonical/sonicwall sma 100
- canonical/sonicwall capture client
- canonical/sonicwall email security
- canonical/sonicwall sonicos
- version/sonicwall sonicos/7.0.1-r1456
- vendor/nodejs
- canonical/node.js
- version/node.js/10.0.0
- version/node.js/12.0.0
- version/node.js/14.0.0
- version/node.js/15.0.0