CVE-2021-3450 · threatengine.sh

Home/CVE/The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain.

CVE

CVE-2021-3450

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain.

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.

An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA.

All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application.

In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.

OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

HIGH · CVSS 7.4 EPSS 0.00504

Schedule remediation

CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-295Improper Certificate Validation

▤

Affected Products & Versions

37

openssl>= 1.1.1h and < 1.1.1k
freebsdall versions
netapp santricity smi-s provider firmwareall versions
netapp storagegrid firmwareall versions
windriver linuxall versions
netapp cloud volumes ontap mediatorall versions
netapp oncommand workflow automationall versions
netapp ontap select deploy administration utilityall versions
Show all 37 affected productsnetapp storagegridall versions
fedoraproject fedoraall versions
tenable nessus<= 8.13.1
tenable nessus agent>= 8.2.1 and <= 8.2.3
tenable nessus network monitorall versions
oracle commerce guided searchall versions
oracle enterprise manager for storage managementall versions
oracle graalvmall versions
oracle jd edwards enterpriseone tools< 9.2.6.0
oracle jd edwards world securityall versions
oracle mysql connectors<= 8.0.23
oracle mysql enterprise monitor<= 8.0.23
oracle mysql server<= 5.7.33
oracle mysql server>= 8.0.15 and <= 8.0.23
oracle mysql workbench<= 8.0.23
oracle peoplesoft enterprise peopletools>= 8.57 and <= 8.59
oracle secure backup< 18.1.0.1.0
oracle secure global desktopall versions
oracle weblogic serverall versions
mcafee web gatewayall versions
mcafee web gateway cloud serviceall versions
sonicwall sma100 firmware< 10.2.1.0-17sv
sonicwall capture client< 3.6.24
sonicwall email security< 10.0.11
sonicwall sonicos<= 7.0.1-r1456
nodejs node.js>= 10.0.0 and < 10.24.1
nodejs node.js>= 12.0.0 and < 12.22.1
nodejs node.js>= 14.0.0 and < 14.16.1
nodejs node.js>= 15.0.0 and < 15.14.0

▤

Affected Packages

1

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

crates.io openssl-src HIGH fixed in 111.15.0

▣

Scoring & Timeline

7.4

HIGH · CVSS v3.1 · openssl-security@openssl.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD25 Mar 2021 · 03:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

⚑

Vendor Advisories

22

suse-csafopenSUSE-SU-2024:11127-1
siemens-csafSSA-389290
msrcCVE-2021-3450Information Disclosure
suse-csafopenSUSE-SU-2021:1059-1
suse-csafopenSUSE-SU-2021:1061-1
Show all 22 vendor advisoriessuse-csafopenSUSE-SU-2021:2353-1
suse-csafSUSE-SU-2021:2353-1
suse-csafopenSUSE-SU-2021:2327-1
suse-csafSUSE-SU-2021:2323-1
suse-csafSUSE-SU-2021:2326-1
suse-csafSUSE-SU-2021:2327-1
rhsaRHSA-2021:1195Important
rhsaRHSA-2021:1199Important
rhsaRHSA-2021:1196Important
rhsaRHSA-2021:1202Important
rhsaRHSA-2021:1203Important
rhsaRHSA-2021:1200Important
rhsaRHSA-2021:1024Important
rhsaRHSA-2021:1189Important
cisco-csafcisco-sa-openssl-2021-GHY28dJd
oracle-cpuoracle-cpu-Enterprise-Manager-for-Storage-Management-10303--CVE-2021-3450
cisa-csafcisa-csaf-csaf_files-OT-white-2022-icsa-22-069-09

🔗

References & Sources

24

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://www.openwall.com/lists/oss-security/2021/03/27/1Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/03/27/2Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/03/28/3Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/03/28/4Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfThird Party Advisory

https://git.openssl.org/gitweb/?p=openssl.git

Show all 24 references

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845Third Party Advisory

https://kc.mcafee.com/corporate/index?page=content&id=SB10356Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/

https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.htmlMailing ListVendor Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013Third Party Advisory

https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.ascThird Party Advisory

https://security.gentoo.org/glsa/202103-03Third Party Advisory

https://security.netapp.com/advisory/ntap-20210326-0006/Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJdThird Party Advisory

https://www.openssl.org/news/secadv/20210325.txtVendor Advisory

https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory

https://www.tenable.com/security/tns-2021-05Third Party Advisory

https://www.tenable.com/security/tns-2021-08Third Party Advisory

https://www.tenable.com/security/tns-2021-09Third Party Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin