CVE-2021-3450 (CNNVD-202103-1456)

HIGH
中文标题:
OpenSSL 信任管理问题漏洞
英文标题:
CA certificate check bypass with X509_V_FLAG_X509_STRICT
CVSS分数: 7.4
发布时间: 2021-03-25 14:25:14
漏洞类型: 信任管理问题
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL 1.1.1h-1.1.1j 存在信任管理问题漏洞,该漏洞允许绕过ca证书检查。

英文描述:

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

CWE类型:
CWE-295
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
OpenSSL OpenSSL Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j) - - cpe:2.3:a:openssl:openssl:fixed_in_openssl_1.1.1k_(affected_1.1.1h-1.1.1j):*:*:*:*:*:*:*
openssl openssl * - - cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
freebsd freebsd 12.2 - - cpe:2.3:o:freebsd:freebsd:12.2:-:*:*:*:*:*:*
netapp santricity_smi-s_provider_firmware - - - cpe:2.3:o:netapp:santricity_smi-s_provider_firmware:-:*:*:*:*:*:*:*
netapp storagegrid_firmware - - - cpe:2.3:o:netapp:storagegrid_firmware:-:*:*:*:*:*:*:*
windriver linux - - - cpe:2.3:o:windriver:linux:-:*:*:*:cd:*:*:*
windriver linux 17.0 - - cpe:2.3:o:windriver:linux:17.0:*:*:*:lts:*:*:*
windriver linux 18.0 - - cpe:2.3:o:windriver:linux:18.0:*:*:*:lts:*:*:*
windriver linux 19.0 - - cpe:2.3:o:windriver:linux:19.0:*:*:*:lts:*:*:*
netapp cloud_volumes_ontap_mediator - - - cpe:2.3:a:netapp:cloud_volumes_ontap_mediator:-:*:*:*:*:*:*:*
netapp oncommand_workflow_automation - - - cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
netapp ontap_select_deploy_administration_utility - - - cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
netapp storagegrid - - - cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
fedoraproject fedora 34 - - cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
tenable nessus * - - cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*
tenable nessus_agent * - - cpe:2.3:a:tenable:nessus_agent:*:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.11.0 - - cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.11.1 - - cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.12.0 - - cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.12.1 - - cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.13.0 - - cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:*
oracle commerce_guided_search 11.3.2 - - cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
oracle enterprise_manager_for_storage_management 13.4.0.0 - - cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:*
oracle graalvm 19.3.5 - - cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*
oracle graalvm 20.3.1.2 - - cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*
oracle graalvm 21.0.0.2 - - cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*
oracle jd_edwards_enterpriseone_tools * - - cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
oracle jd_edwards_world_security a9.4 - - cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
oracle mysql_connectors * - - cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor * - - cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
oracle mysql_server * - - cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
oracle mysql_workbench * - - cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools * - - cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:*
oracle secure_backup * - - cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*
oracle secure_global_desktop 5.6 - - cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.4.0 - - cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
oracle weblogic_server 14.1.1.0.0 - - cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
mcafee web_gateway 8.2.19 - - cpe:2.3:a:mcafee:web_gateway:8.2.19:*:*:*:*:*:*:*
mcafee web_gateway 9.2.10 - - cpe:2.3:a:mcafee:web_gateway:9.2.10:*:*:*:*:*:*:*
mcafee web_gateway 10.1.1 - - cpe:2.3:a:mcafee:web_gateway:10.1.1:*:*:*:*:*:*:*
mcafee web_gateway_cloud_service 8.2.19 - - cpe:2.3:a:mcafee:web_gateway_cloud_service:8.2.19:*:*:*:*:*:*:*
mcafee web_gateway_cloud_service 9.2.10 - - cpe:2.3:a:mcafee:web_gateway_cloud_service:9.2.10:*:*:*:*:*:*:*
mcafee web_gateway_cloud_service 10.1.1 - - cpe:2.3:a:mcafee:web_gateway_cloud_service:10.1.1:*:*:*:*:*:*:*
sonicwall sma100_firmware * - - cpe:2.3:o:sonicwall:sma100_firmware:*:*:*:*:*:*:*:*
sonicwall capture_client * - - cpe:2.3:a:sonicwall:capture_client:*:*:*:*:*:*:*:*
sonicwall email_security * - - cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*
sonicwall sonicos * - - cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*
nodejs node.js * - - cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 vendor-advisory
cve.org
访问
[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing mailing-list
cve.org
访问
[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing mailing-list
cve.org
访问
[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing mailing-list
cve.org
访问
[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing mailing-list
cve.org
访问
GLSA-202103-03 vendor-advisory
cve.org
访问
FEDORA-2021-cbf14ab8f9 vendor-advisory
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
CVSS评分详情
7.4
HIGH
CVSS向量: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS版本: 3.1
机密性
HIGH
完整性
HIGH
可用性
NONE
时间信息
发布时间:
2021-03-25 14:25:14
修改时间:
2024-09-17 03:07:10
创建时间:
2025-11-11 15:36:54
更新时间:
2025-11-11 15:56:39
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2021-3450 2025-11-11 15:21:04 2025-11-11 07:36:54
NVD nvd_CVE-2021-3450 2025-11-11 14:57:35 2025-11-11 07:45:13
CNNVD cnnvd_CNNVD-202103-1456 2025-11-11 15:10:36 2025-11-11 07:56:39
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 15:56:39
vulnerability_type: 未提取 → 信任管理问题; cnnvd_id: 未提取 → CNNVD-202103-1456; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 信任管理问题
  • cnnvd_id: 未提取 -> CNNVD-202103-1456
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:45:13
severity: SeverityLevel.MEDIUM → SeverityLevel.HIGH; cvss_score: 未提取 → 7.4; cvss_vector: NOT_EXTRACTED → CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N; cvss_version: NOT_EXTRACTED → 3.1; affected_products_count: 1 → 48; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • severity: SeverityLevel.MEDIUM -> SeverityLevel.HIGH
  • cvss_score: 未提取 -> 7.4
  • cvss_vector: NOT_EXTRACTED -> CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • cvss_version: NOT_EXTRACTED -> 3.1
  • affected_products_count: 1 -> 48
  • data_sources: ['cve'] -> ['cve', 'nvd']