BIT-node-2021-3449

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2021-3449.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-node-2021-3449
Aliases
Published
2024-03-06T11:05:44.892Z
Modified
2024-06-23T19:56:34.118Z
Summary
[none]
Details

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signaturealgorithms extension (where it was present in the initial ClientHello), but includes a signaturealgorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

References

Affected packages

Bitnami / node

Package

Name
node
Purl
pkg:bitnami/node

Severity

  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
10.0.0
Fixed
10.12.0
Introduced
10.13.0
Fixed
10.24.0
Introduced
12.0.0
Fixed
12.12.0
Introduced
12.13.0
Fixed
12.22.1
Introduced
14.0.0
Fixed
14.14.0
Introduced
14.15.0
Fixed
14.16.1
Introduced
15.0.0
Fixed
15.14.0