ClickCease Two more vulnerabilities uncovered in OpenSSL - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Two more vulnerabilities uncovered in OpenSSL

March 26, 2021 - TuxCare expert team

Two more vulnerabilities uncovered in OpenSSL

 

OpenSSL, the widely used cryptography toolkit and library, has been the target of security researchers’ audits more than almost any other project, perhaps only excluding the Linux Kernel itself. This week was no exception, and again some issues were found.

 

[Update 20 April: Over the past weeks, KernelCare has released patches for CVE-2021-3449 covering AlmaLinux OS 8, RHEL 8, Ubuntu 18.04, Ubuntu 20.04, Centos 8, Debian 10, Oracle Linux 8, and for CVE-2021-3450 covering AlmaLinux OS 8, Centos 8, Oracle Linux 8, RHEL 8. If you’re running KernelCare on one of those systems, you have already received the patches.]

Rather than reinventing the wheel every time they need a secure communication channel or perform a certificate validation, for example, programmers rely on the tried and tested OpenSSL library. They enjoy the ease of use and wide adoption, even across operating systems and architectures, of not having to worry about these common functionalities and focusing on core application goals.

 

So, whenever the alarms go off around OpenSSL, many pay attention and take it seriously. Just this week, two new vulnerabilities were disclosed, CVE-2021-3449 and CVE-2021-3450, affecting all OpenSSL versions in the 1.1.1 branch. These are the versions bundled with several operating systems like RHEL 8, which means systems running them should upgrade OpenSSL as soon as possible, as OpenSSL 1.1.1k contains the fix for both problems. 

The first vulnerability, CVE-2021-3449, is a possible Denial-of-Service (DoS) vulnerability, where a malicious actor could crash a server application (for example, a web or an email server) that is using TLSv1.2 configured for renegotiation – unfortunately, this is the default behavior, so unless a configuration change was explicitly set, any software using TLSv1.2 could be crashed remotely. The problem comes from a missing parameter validation in a specific code-path, which could lead to a NULL pointer being used – immediately triggering the crash.

 

The second vulnerability, CVE-2021-3450, permits specially crafted certificates to be accepted as CA (Certification Authority) certificates by programs using vulnerable OpenSSL versions, which means all the validation and assurances that come from having a chain-of-trust of certificates is potentially eliminated, making fake certificates show up as actual, trustworthy certificates.

 

The KernelCare team has already started working on the patches, and they should be available early next week for affected systems running KernelCare. This post will be updated with specific operating system patch availability as they are completed.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

Strategies for Managing End-of-Life Operating...

End-of-life software is just a fact of our fast-paced technology...

January 30, 2023

Think You Can’t Afford Consistent...

Look, everyone knows that it’s a tough act. Thousands of...

January 17, 2023

Common Government Cybersecurity Standards –...

The public sector, including state and federal agencies, are at...

January 16, 2023

Which Linux Distro is Best...

If your organization deploys IoT solutions, you know that development...

December 1, 2022

The Bugs Behind the Vulnerabilities...

We continue to look at the code issues that cause...

November 14, 2022

Cybersecurity insurance and fine print:...

Catastrophic risks such as natural disasters and indeed cyberattacks require...

June 29, 2022