First published: Thu Mar 25 2021(Updated: )
OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose.
Credit: openssl-security@openssl.org openssl-security@openssl.org openssl-security@openssl.org
Affected Software | Affected Version | How to fix |
---|---|---|
rust/openssl-src | >=111.11.0<111.15.0 | 111.15.0 |
IBM Security Verify Bridge | <=All | |
OpenSSL | >=1.1.1h<1.1.1k | |
FreeBSD Kernel | =12.2 | |
FreeBSD Kernel | =12.2-p1 | |
FreeBSD Kernel | =12.2-p2 | |
NetApp SANtricity SMI-S Provider Firmware | ||
NetApp SANtricity SMI-S Provider Firmware | ||
NetApp StorageGRID Webscale | ||
NetApp StorageGRID Webscale | ||
Wind River Linux | ||
Wind River Linux | =17.0 | |
Wind River Linux | =18.0 | |
Wind River Linux | =19.0 | |
NetApp ONTAP Mediator | ||
NetApp OnCommand Workflow Automation | ||
NetApp ONTAP Select Deploy | ||
NetApp StorageGRID Webscale | ||
Red Hat Fedora | =34 | |
Nessus | <=8.13.1 | |
Nessus | >=8.2.1<=8.2.3 | |
Tenable Nessus | =5.11.0 | |
Tenable Nessus | =5.11.1 | |
Tenable Nessus | =5.12.0 | |
Tenable Nessus | =5.12.1 | |
Tenable Nessus | =5.13.0 | |
Oracle Commerce | =11.3.2 | |
Oracle Enterprise Manager for Storage Management | =13.4.0.0 | |
Oracle GraalVM Enterprise Edition | =19.3.5 | |
Oracle GraalVM Enterprise Edition | =20.3.1.2 | |
Oracle GraalVM Enterprise Edition | =21.0.0.2 | |
Oracle JD Edwards EnterpriseOne Tools | <9.2.6.0 | |
Oracle JD Edwards World Security | =a9.4 | |
Oracle MySQL Connectors | <=8.0.23 | |
MySQL Enterprise Monitor | <=8.0.23 | |
MySQL | <=5.7.33 | |
MySQL | >=8.0.15<=8.0.23 | |
MySQL Workbench | <=8.0.23 | |
Oracle PeopleTools | >=8.57<=8.59 | |
Oracle Secure Backup | <18.1.0.1.0 | |
Tarantella Secure Global Desktop | =5.6 | |
Oracle WebLogic Server | =12.2.1.4.0 | |
Oracle WebLogic Server | =14.1.1.0.0 | |
McAfee Web Gateway Cloud Service | =8.2.19 | |
McAfee Web Gateway Cloud Service | =9.2.10 | |
McAfee Web Gateway Cloud Service | =10.1.1 | |
McAfee Web Gateway Cloud Service | =8.2.19 | |
McAfee Web Gateway Cloud Service | =9.2.10 | |
McAfee Web Gateway Cloud Service | =10.1.1 | |
SonicWall SMA 100 firmware | <10.2.1.0-17sv | |
SonicWall SMA 100 | ||
SonicWall Capture Client | <3.6.24 | |
SonicWall Email Security | <10.0.11 | |
SonicWall SonicOS | <=7.0.1-r1456 | |
Node.js | >=10.0.0<10.24.1 | |
Node.js | >=12.0.0<12.22.1 | |
Node.js | >=14.0.0<14.16.1 | |
Node.js | >=15.0.0<15.14.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3450 is classified as critical due to its potential to allow remote attackers to bypass security restrictions.
To fix CVE-2021-3450, update OpenSSL to version 1.1.1k or higher, or apply patches provided by software vendors utilizing the affected libraries.
CVE-2021-3450 affects various versions of OpenSSL prior to 1.1.1k, and systems including IBM Security Verify Bridge and multiple embedded Linux distributions.
CVE-2021-3450 is an authentication bypass vulnerability that stems from a missing check in the validation logic of X.509 certificate chains.
Yes, CVE-2021-3450 can be exploited remotely by attackers who manage to sign a specially crafted certificate.