Closed mend-for-github-com[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
:information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2021-3449 - Medium Severity Vulnerability
Vulnerable Library - openssl-src-111.14.0+1.1.1j.crate
Source of OpenSSL and logic to build it.
Library home page: https://crates.io/api/v1/crates/openssl-src/111.14.0+1.1.1j/download
Dependency Hierarchy: - rustsec-0.23.3.crate (Root Library) - cargo-edit-0.7.0.crate - reqwest-0.10.10.crate - tokio-tls-0.3.1.crate - native-tls-0.2.7.crate - openssl-0.10.32.crate - openssl-sys-0.9.60.crate - :x: **openssl-src-111.14.0+1.1.1j.crate** (Vulnerable Library)
Found in HEAD commit: 91b6c7a5fffc4969d7d1185aecc6179ebcf18f48
Found in base branch: main
Vulnerability Details
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).
Publish Date: 2021-03-25
URL: CVE-2021-3449
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449
Release Date: 2021-03-25
Fix Resolution: 1.1.1k