CVE-2021-3450
Description
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a purpose has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named purpose values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
Risk Information
Base Score
7.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.416
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple Vulnerabilities are affected in OpenSSL 1.1.1 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0 | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 12 (x64) (12.22.1) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 12 (12.22.1) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 12 (x64) (12.22.10) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 12 (12.22.10) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 12 (x64) (12.22.11) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 12 (12.22.11) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 12 (x64) (12.22.12) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 12 (12.22.12) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 14 (x64) (14.16.1) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 14 (14.16.1) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 10 (x64) (10.24.1) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 10 (10.24.1) | Windows |
| Vulnerabilities CVE-2021-3450,CVE-2021-3449,CVE-2020-7774 are fixed in Node.js 15.14.0 | Windows |
| Vulnerabilities CVE-2021-3449,CVE-2021-3450 are affected in Nessus Agent (x64) 8.12.1 | Windows |
| Vulnerabilities CVE-2021-3449,CVE-2021-3450 are affected in Nessus Agent 8.12.1 | Windows |
| Vulnerabilities CVE-2019-16168,CVE-2021-3450 are fixed in Nessus Agent (8.2.4.20047) | Windows |
| Vulnerabilities CVE-2019-16168,CVE-2021-3450 are fixed in Nessus Agent (x64) (8.2.4.20047) | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Community 2017 15.9.40 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Enterprise 2017 15.9.40 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Professional 2017 15.9.40 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450,CVE-2021-41355 are fixed in Microsoft Visual Studio Community 2019 16.9.12 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Community 2019 16.7.20 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Community 2019 16.4.27 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450,CVE-2021-41355 are fixed in Microsoft Visual Studio Community 2019 16.11.5 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450,CVE-2021-41355 are fixed in Microsoft Visual Studio Enterprise 2019 16.9.12 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Enterprise 2019 16.7.20 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Enterprise 2019 16.4.27 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450,CVE-2021-41355 are fixed in Microsoft Visual Studio Enterprise 2019 16.11.5 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450,CVE-2021-41355 are fixed in Microsoft Visual Studio Professional 2019 16.9.12 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Professional 2019 16.7.20 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450 are fixed in Microsoft Visual Studio Professional 2019 16.4.27 | Windows |
| Vulnerabilities CVE-2020-1971,CVE-2021-3449,CVE-2021-3450,CVE-2021-41355 are fixed in Microsoft Visual Studio Professional 2019 16.11.5 | Windows |
| Multiple vulnerabilities are fixed in Couchbase Server Enterprise Edition 6.6.3 | Windows |
| Vulnerabilities CVE-2019-7317,CVE-2021-3450 are affected in MySQL Workbench Enterprise Edition 8.0.23 | Windows |
| Vulnerabilities CVE-2019-7317,CVE-2021-3450 are affected in MySQL Workbench CE (x64) 8.0.23 | Windows |
| Vulnerabilities CVE-2021-3449,CVE-2021-3450 are fixed in Nessus 8.13.2 | Windows |
| Vulnerabilities CVE-2021-3449,CVE-2021-3450 are fixed in Tenable Nessus 8.13.2 | Windows |
| Multiple Vulnerabilities are affected in Netapp Oncommand Workflow Automation - | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.57 | Windows |
| Vulnerabilities CVE-2021-3450 are affected in Oracle PeopleSoft Enterprise PeopleTools 8.59 | Windows |
| Vulnerabilities CVE-2021-26691,CVE-2021-3450,CVE-2021-3712 are fixed in Oracle Secure Backup 18.1.0.1.0 | Windows |
| Vulnerabilities CVE-2021-2161,CVE-2021-2163,CVE-2021-23841,CVE-2021-3450 are affected in Oracle GraalVM Enterprise Edition 19.3.5 | Windows |
| Vulnerabilities CVE-2021-2161,CVE-2021-2163,CVE-2021-23841,CVE-2021-3450 are affected in Oracle GraalVM Enterprise Edition 20.3.1.2 | Windows |
| Vulnerabilities CVE-2021-2161,CVE-2021-2163,CVE-2021-23841,CVE-2021-3450 are affected in Oracle GraalVM Enterprise Edition 21.0.0.2 | Windows |
| Multiple Vulnerabilities are affected in Nessus Network Monitor 5.13.0 | Windows |
| Multiple Vulnerabilities are affected in Nessus Network Monitor 5.11.0 | Windows |
| Multiple Vulnerabilities are affected in Nessus Network Monitor 5.11.1 | Windows |
| Multiple Vulnerabilities are affected in Nessus Network Monitor 5.12.0 | Windows |
| Vulnerabilities CVE-2021-23840,CVE-2021-23841,CVE-2021-3449,CVE-2021-3450 are affected in Nessus Network Monitor 5.12.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0 | Windows |
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.1.0 | Windows |
| (RHSA-2021:1024) openssl security update openssl-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| (RHSA-2021:1024) openssl security update openssl-debugsource-1.1.1g-15.el8_3.i686.rpm | Linux |
| (RHSA-2021:1024) openssl security update openssl-debugsource-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| (RHSA-2021:1024) openssl security update openssl-devel-1.1.1g-15.el8_3.i686.rpm | Linux |
| (RHSA-2021:1024) openssl security update openssl-devel-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| (RHSA-2021:1024) openssl security update openssl-libs-1.1.1g-15.el8_3.i686.rpm | Linux |
| (RHSA-2021:1024) openssl security update openssl-libs-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| (RHSA-2021:1024) openssl security update openssl-perl-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| Openssl update (ELSA-2021-1024) openssl-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| Openssl-devel update (ELSA-2021-1024) openssl-devel-1.1.1g-15.el8_3.i686.rpm | Linux |
| Openssl-devel update (ELSA-2021-1024) openssl-devel-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| Openssl-libs update (ELSA-2021-1024) openssl-libs-1.1.1g-15.el8_3.i686.rpm | Linux |
| Openssl-libs update (ELSA-2021-1024) openssl-libs-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| Openssl-perl update (ELSA-2021-1024) openssl-perl-1.1.1g-15.el8_3.x86_64.rpm | Linux |
| Improper Certificate Validation Vulnerability (CVE-2021-3450) | NCM |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-329083 | Node.js 14 (x64) (14.21.3) |
| PATCH-329082 | Node.js 14 (14.21.3) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
| PATCH-319042 | Node.js 10 (10.24.1) |
| PATCH-319042 | Node.js 10 (10.24.1) |
| PATCH-343100 | Nessus Agent (x64) (10.8.0) |
| PATCH-343099 | Nessus Agent (10.8.0) |
| PATCH-337447 | Nessus Agent (10.6.1) |
| PATCH-337448 | Nessus Agent (x64) (10.6.1) |
| PATCH-347137 | MySQL Workbench CE (x64) (8.0.42) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234