CVE-2021-3449: NULL Pointer Dereference

March 25, 2021 (updated November 9, 2023)

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue.

References

nvd.nist.gov/vuln/detail/CVE-2021-3449
www.openssl.org/news/secadv/20210325.txt

Code Behaviors & Features

Detect and mitigate CVE-2021-3449 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →