CVE-2021-3449

Priority
Description
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello
omits the signature_algorithms extension (where it was present in the
initial ClientHello), but includes a signature_algorithms_cert extension
then a NULL pointer dereference will result, leading to a crash and a
denial of service attack. A server is only vulnerable if it has TLSv1.2 and
renegotiation enabled (which is the default configuration). OpenSSL TLS
clients are not impacted by this issue. All OpenSSL 1.1.1 versions are
affected by this issue. Users of these versions should upgrade to OpenSSL
1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL
1.1.1k (Affected 1.1.1-1.1.1j).
Assigned-to
mdeslaur
Notes
mdeslaurdoes not affect 1.0.2
edk2 doesn't implement a server, so not vulnerable to this issue
Package
Source: edk2 (LP Ubuntu Debian)
Priority: Low
Upstream:not-affected
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 20.04 LTS (Focal Fossa):not-affected
Ubuntu 21.04 (Hirsute Hippo):not-affected
Ubuntu 21.10 (Impish Indri):not-affected
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (uses system openssl)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system openssl1.0)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (uses system openssl1.1)
Ubuntu 21.04 (Hirsute Hippo):not-affected (uses system openssl1.1)
Ubuntu 21.10 (Impish Indri):not-affected (uses system openssl1.1)
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.06 ESM (Xenial Xerus):not-affected (1.0.2g-1ubuntu4.19)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.1.1-1ubuntu2.1~18.04.9)
Ubuntu 20.04 LTS (Focal Fossa):released (1.1.1f-1ubuntu2.3)
Ubuntu 21.04 (Hirsute Hippo):released (1.1.1j-1ubuntu3)
Ubuntu 21.10 (Impish Indri):released (1.1.1j-1ubuntu3)
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1.0.2n-1ubuntu5.6)
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 21.04 (Hirsute Hippo):DNE
Ubuntu 21.10 (Impish Indri):DNE
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (10.18-0ubuntu0.18.04.1)
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 21.04 (Hirsute Hippo):DNE
Ubuntu 21.10 (Impish Indri):DNE
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):released (12.8-0ubuntu0.20.04.1)
Ubuntu 21.04 (Hirsute Hippo):DNE
Ubuntu 21.10 (Impish Indri):DNE
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 21.04 (Hirsute Hippo):released (13.4-0ubuntu0.21.04.1)
Ubuntu 21.10 (Impish Indri):pending (13.4-1)
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 21.04 (Hirsute Hippo):DNE
Ubuntu 21.10 (Impish Indri):DNE
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):deferred (2019-08-23)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 21.04 (Hirsute Hippo):DNE
Ubuntu 21.10 (Impish Indri):DNE
Patches:
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.06 ESM (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 21.04 (Hirsute Hippo):DNE
Ubuntu 21.10 (Impish Indri):DNE
Patches:
More Information

Updated: 2021-09-23 17:30:56 UTC (commit 3a71382848a53fcadb5f85bc8acde88c292f02e7)