Peter Kästle

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.1.1 through 1.1.1j MySQL Server versions 5.7.33 and earlier, 8.0.23 and earlier **Description** The issue is related to a NULL pointer dereference in OpenSSL TLS servers when a maliciously crafted renegotiation ClientHello message is sent by a client. This can lead to a crash and a denial of service attack. The server is only vulnerable if it has TLSv1.2 and renegotiation enabled, which is the default configuration. OpenSSL TLS clients are not impacted by this issue. **Recommendations** For OpenSSL versions 1.1.1 through 1.1.1j, upgrade to OpenSSL 1.1.1k. For MySQL Server versions 5.7.33 and earlier, 8.0.23 and earlier, consider disabling TLSv1.2 renegotiation until a patch is available. As a temporary workaround, consider restricting access to the TLS server to minimize the risk of exploitation. Avoid using the `signature algorithms cert` extension in the TLSv1.2 renegotiation ClientHello message until the issue is resolved.