Multiple Vulnerabilities in OpenSSL

Published on 26 Mar 2021

Updated on 14 Apr 2021

OpenSSL has released a security update to address vulnerabilities in their product. OpenSSL is an open source software library for implementing various cryptographic functions on software such as securing websites via TLS and email encryption.

The vulnerabilities addressed are:

  • CVE-2021-3449: A Denial of Service (DoS) vulnerability due to NULL pointer dereferencing in default server configurations.
  • CVE-2021-3450: An improper Certificate Authority (CA) certificate validation vulnerability which impacts both the server and client instances. Successful exploitation of the vulnerability could allow an attacker to use a valid non-CA certificate to act as a CA and sign a certificate for an arbitrary organisation, user or device.
Administrators, software vendors and users running affected versions are recommended to upgrade to OpenSSL 1.1.1k immediately. If you are using a software that is dependent on OpenSSL, please check with the software vendor for more information.

More information is available here:
https://www.openssl.org/news/secadv/20210325.txt