OpenSSL TLS server denial-of-service (CVE-2021-3449)
Vulnerability details
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message.
Impacted products
Revisions
| Version |
Date |
Description |
| v1 |
05/27/2021 |
Initial release |
Stormshield Network Security |
CVSS v3.1 Overall Score: 5.1 
|
Analysis
|
Impacted version
|
|
A bug in OpenSSL’s secure renegociation system could lead to a remote denial of service on multiple services running on SNS.
|
|
Workaround solution
|
Solution
|
|
There is no workaround.
|
The 4.2.2 update fixes this vulnerability.
|
| Attack Vector |
Attack Complexity |
Privileges Required |
User Interaction |
Scope |
Confidentiality Impact |
Integrity Impact |
Availability impact |
| Adjacent Network |
Low |
None |
None |
Changed |
None |
None |
Low |
| Exploit Code Maturity |
Remediation Level |
Report Confidence |
| Proof of concept code |
Official fix |
Confirmed |
| Confidentiality Requirement |
Integrity Requirement |
Availability Requirement |
| High |
High |
High |
