CVE-2021-3449: NULL Pointer Dereference
(updated )
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello
message from a client. If a TLSv1.2 renegotiation ClientHello
omits the signature_algorithms
extension (where it was present in the initial ClientHello
), but includes a signature_algorithms_cert
extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue.
References
Detect and mitigate CVE-2021-3449 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →