CVE-2021-3449

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.1.1 through 1.1.1j MySQL Server versions 5.7.33 and earlier, 8.0.23 and earlier

Description The issue is related to a NULL pointer dereference in OpenSSL TLS servers when a maliciously crafted renegotiation ClientHello message is sent by a client. This can lead to a crash and a denial of service attack. The server is only vulnerable if it has TLSv1.2 and renegotiation enabled, which is the default configuration. OpenSSL TLS clients are not impacted by this issue.

Recommendations For OpenSSL versions 1.1.1 through 1.1.1j, upgrade to OpenSSL 1.1.1k. For MySQL Server versions 5.7.33 and earlier, 8.0.23 and earlier, consider disabling TLSv1.2 renegotiation until a patch is available. As a temporary workaround, consider restricting access to the TLS server to minimize the risk of exploitation. Avoid using the signature algorithms cert extension in the TLSv1.2 renegotiation ClientHello message until the issue is resolved.