CVE-2021-3450

HIGH
Published Mar 25, 20215y ago · Modified Jun 17, 20262w ago
7.4 CVSS 3.1
High
Find Similar
Published Mar 25, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

CVSS Details

Base Score
7.4
Exploitability
2.2
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-295

Affected Products 56

VendorProductVersionRange
opensslopenssl*≥1.1.1h  –  <1.1.1k
freebsdfreebsd12.2any
freebsdfreebsd12.2any
freebsdfreebsd12.2any
netappsantricity_smi-s_provider_firmware*any
netappsantricity_smi-s_provider*any
netappstoragegrid_firmware*any
netappstoragegrid*any
windriverlinux*any
windriverlinux17.0any
windriverlinux18.0any
windriverlinux19.0any
netappcloud_volumes_ontap_mediator*any
netapponcommand_workflow_automation*any
netappontap_select_deploy_administration_utility*any
netappstoragegrid*any
fedoraprojectfedora34any
tenablenessus* ≤8.13.1
tenablenessus_agent*≥8.2.1  –  ≤8.2.3
tenablenessus_network_monitor5.11.0any
tenablenessus_network_monitor5.11.1any
tenablenessus_network_monitor5.12.0any
tenablenessus_network_monitor5.12.1any
tenablenessus_network_monitor5.13.0any
oraclecommerce_guided_search11.3.2any
oracleenterprise_manager_for_storage_management13.4.0.0any
oraclegraalvm19.3.5any
oraclegraalvm20.3.1.2any
oraclegraalvm21.0.0.2any
oraclejd_edwards_enterpriseone_tools* <9.2.6.0
oraclejd_edwards_world_securitya9.4any
oraclemysql_connectors* ≤8.0.23
oraclemysql_enterprise_monitor* ≤8.0.23
oraclemysql_server* ≤5.7.33
oraclemysql_server*≥8.0.15  –  ≤8.0.23
oraclemysql_workbench* ≤8.0.23
oraclepeoplesoft_enterprise_peopletools*≥8.57  –  ≤8.59
oraclesecure_backup* <18.1.0.1.0
oraclesecure_global_desktop5.6any
oracleweblogic_server12.2.1.4.0any
oracleweblogic_server14.1.1.0.0any
mcafeeweb_gateway8.2.19any
mcafeeweb_gateway9.2.10any
mcafeeweb_gateway10.1.1any
mcafeeweb_gateway_cloud_service8.2.19any
mcafeeweb_gateway_cloud_service9.2.10any
mcafeeweb_gateway_cloud_service10.1.1any
sonicwallsma100_firmware* <10.2.1.0-17sv
sonicwallsma100*any
sonicwallcapture_client* <3.6.24
sonicwallemail_security* <10.0.11
sonicwallsonicos* ≤7.0.1-r1456
nodejsnode.js*≥10.0.0  –  <10.24.1
nodejsnode.js*≥12.0.0  –  <12.22.1
nodejsnode.js*≥14.0.0  –  <14.16.1
nodejsnode.js*≥15.0.0  –  <15.14.0

References 24

  • openwall.com http://www.openwall.com/lists/oss-security/2021/03/27/1
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/03/27/2
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/03/28/3
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/03/28/4
    Mailing ListThird Party Advisory
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
    Third Party Advisory
  • git.openssl.org https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
  • kb.pulsesecure.net https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
    Third Party Advisory
  • kc.mcafee.com https://kc.mcafee.com/corporate/index?page=content&id=SB10356
    Third Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
  • mta.openssl.org https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html
    Mailing ListVendor Advisory
  • psirt.global.sonicwall.com https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
    Third Party Advisory
  • security.freebsd.org https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
    Third Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202103-03
    Third Party Advisory
  • security.netapp.com https://security.netapp.com/advisory/ntap-20210326-0006/
    Third Party Advisory
  • tools.cisco.com https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
    Third Party Advisory
  • openssl.org https://www.openssl.org/news/secadv/20210325.txt
    Vendor Advisory
  • oracle.com https://www.oracle.com//security-alerts/cpujul2021.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuApr2021.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    PatchThird Party Advisory
  • tenable.com https://www.tenable.com/security/tns-2021-05
    Third Party Advisory
  • tenable.com https://www.tenable.com/security/tns-2021-08
    Third Party Advisory
  • tenable.com https://www.tenable.com/security/tns-2021-09
    Third Party Advisory

Remediation

  • oracle.com https://www.oracle.com//security-alerts/cpujul2021.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuApr2021.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    PatchThird Party Advisory