Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
March 26, 2021 - TuxCare expert team
OpenSSL, the widely used cryptography toolkit and library, has been the target of security researchers’ audits more than almost any other project, perhaps only excluding the Linux Kernel itself. This week was no exception, and again some issues were found.
[Update 20 April: Over the past weeks, KernelCare has released patches for CVE-2021-3449 covering AlmaLinux OS 8, RHEL 8, Ubuntu 18.04, Ubuntu 20.04, Centos 8, Debian 10, Oracle Linux 8, and for CVE-2021-3450 covering AlmaLinux OS 8, Centos 8, Oracle Linux 8, RHEL 8. If you’re running KernelCare on one of those systems, you have already received the patches.]
Rather than reinventing the wheel every time they need a secure communication channel or perform a certificate validation, for example, programmers rely on the tried and tested OpenSSL library. They enjoy the ease of use and wide adoption, even across operating systems and architectures, of not having to worry about these common functionalities and focusing on core application goals.
So, whenever the alarms go off around OpenSSL, many pay attention and take it seriously. Just this week, two new vulnerabilities were disclosed, CVE-2021-3449 and CVE-2021-3450, affecting all OpenSSL versions in the 1.1.1 branch. These are the versions bundled with several operating systems like RHEL 8, which means systems running them should upgrade OpenSSL as soon as possible, as OpenSSL 1.1.1k contains the fix for both problems.
The first vulnerability, CVE-2021-3449, is a possible Denial-of-Service (DoS) vulnerability, where a malicious actor could crash a server application (for example, a web or an email server) that is using TLSv1.2 configured for renegotiation – unfortunately, this is the default behavior, so unless a configuration change was explicitly set, any software using TLSv1.2 could be crashed remotely. The problem comes from a missing parameter validation in a specific code-path, which could lead to a NULL pointer being used – immediately triggering the crash.
The second vulnerability, CVE-2021-3450, permits specially crafted certificates to be accepted as CA (Certification Authority) certificates by programs using vulnerable OpenSSL versions, which means all the validation and assurances that come from having a chain-of-trust of certificates is potentially eliminated, making fake certificates show up as actual, trustworthy certificates.
The KernelCare team has already started working on the patches, and they should be available early next week for affected systems running KernelCare. This post will be updated with specific operating system patch availability as they are completed.
Learn About Live Patching with TuxCare
End-of-life software is just a fact of our fast-paced technology...
Look, everyone knows that it’s a tough act. Thousands of...
The public sector, including state and federal agencies, are at...
If your organization deploys IoT solutions, you know that development...
We continue to look at the code issues that cause...
Catastrophic risks such as natural disasters and indeed cyberattacks require...