{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos7els/vex/2021/cve-2021-3449-els_os-centos7els.json" } ], "tracking": { "current_release_date": "2026-06-06T04:40:48Z", "generator": { "date": "2026-06-06T04:40:48Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2021-3449-ELS_OS-CENTOS7ELS", "initial_release_date": "2021-03-25T15:15:00Z", "revision_history": [ { "date": "2021-03-25T15:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-05T20:39:51Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-06-06T02:10:08Z", "number": "3", "summary": "Update document" }, { "date": "2026-06-06T04:40:48Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" }, "title": "Security update on CVE-2021-3449" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 7", "product": { "name": "Community Enterprise Operating System 7", "product_id": "CentOS-7", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" }, { "branches": [ { "category": "product_version", "name": "openssl11-libs-1:1.1.1k-7.el7.x86_64", "product": { "name": "openssl11-libs-1:1.1.1k-7.el7.x86_64", "product_id": "openssl11-libs-1:1.1.1k-7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/openssl11-libs@1.1.1k-7.el7?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "openssl11-static-1:1.1.1k-7.el7.x86_64", "product": { "name": "openssl11-static-1:1.1.1k-7.el7.x86_64", "product_id": "openssl11-static-1:1.1.1k-7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/openssl11-static@1.1.1k-7.el7?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "openssl11-devel-1:1.1.1k-7.el7.x86_64", "product": { "name": "openssl11-devel-1:1.1.1k-7.el7.x86_64", "product_id": "openssl11-devel-1:1.1.1k-7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/openssl11-devel@1.1.1k-7.el7?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "openssl11-1:1.1.1k-7.el7.x86_64", "product": { "name": "openssl11-1:1.1.1k-7.el7.x86_64", "product_id": "openssl11-1:1.1.1k-7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/openssl11@1.1.1k-7.el7?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product": { "name": "openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product_id": "openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/openssl11-libs@1.1.1k-7.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product": { "name": "openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product_id": "openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/openssl11-static@1.1.1k-7.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product": { "name": "openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product_id": "openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/openssl11-devel@1.1.1k-7.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product": { "name": "openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product_id": "openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/openssl11@1.1.1k-7.el7.tuxcare.els1?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64" }, "product_reference": "openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64" }, "product_reference": "openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64" }, "product_reference": "openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64" }, "product_reference": "openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "openssl11-libs-1:1.1.1k-7.el7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:openssl11-libs-1:1.1.1k-7.el7.x86_64" }, "product_reference": "openssl11-libs-1:1.1.1k-7.el7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "openssl11-static-1:1.1.1k-7.el7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:openssl11-static-1:1.1.1k-7.el7.x86_64" }, "product_reference": "openssl11-static-1:1.1.1k-7.el7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "openssl11-devel-1:1.1.1k-7.el7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:openssl11-devel-1:1.1.1k-7.el7.x86_64" }, "product_reference": "openssl11-devel-1:1.1.1k-7.el7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "openssl11-1:1.1.1k-7.el7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:openssl11-1:1.1.1k-7.el7.x86_64" }, "product_reference": "openssl11-1:1.1.1k-7.el7.x86_64", "relates_to_product_reference": "CentOS-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3449", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "description", "text": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-7:openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-devel-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-libs-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-static-1:1.1.1k-7.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2021-3449" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2021/03/27/1", "url": "http://www.openwall.com/lists/oss-security/2021/03/27/1" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2021/03/27/2", "url": "http://www.openwall.com/lists/oss-security/2021/03/27/2" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2021/03/28/3", "url": "http://www.openwall.com/lists/oss-security/2021/03/28/3" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2021/03/28/4", "url": "http://www.openwall.com/lists/oss-security/2021/03/28/4" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf" }, { "category": "external", "summary": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148" }, { "category": "external", "summary": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845" }, { "category": "external", "summary": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/" }, { "category": "external", "summary": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013" }, { "category": "external", "summary": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", "url": "https://security.freebsd.org/advisories/FreeBSD-SA-21:07.openssl.asc" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202103-03", "url": "https://security.gentoo.org/glsa/202103-03" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20210326-0006/", "url": "https://security.netapp.com/advisory/ntap-20210326-0006/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20210513-0002/", "url": "https://security.netapp.com/advisory/ntap-20210513-0002/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20240621-0006/", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" }, { "category": "external", "summary": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd" }, { "category": "external", "summary": "https://www.debian.org/security/2021/dsa-4875", "url": "https://www.debian.org/security/2021/dsa-4875" }, { "category": "external", "summary": "https://www.openssl.org/news/secadv/20210325.txt", "url": "https://www.openssl.org/news/secadv/20210325.txt" }, { "category": "external", "summary": "https://www.oracle.com//security-alerts/cpujul2021.html", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuApr2021.html", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuapr2022.html", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujul2022.html", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuoct2021.html", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "category": "external", "summary": "https://www.tenable.com/security/tns-2021-05", "url": "https://www.tenable.com/security/tns-2021-05" }, { "category": "external", "summary": "https://www.tenable.com/security/tns-2021-06", "url": "https://www.tenable.com/security/tns-2021-06" }, { "category": "external", "summary": "https://www.tenable.com/security/tns-2021-09", "url": "https://www.tenable.com/security/tns-2021-09" }, { "category": "external", "summary": "https://www.tenable.com/security/tns-2021-10", "url": "https://www.tenable.com/security/tns-2021-10" }, { "category": "external", "summary": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", "url": "https://security.freebsd.org/advisories/FreeBSD-SA-21:07.openssl.asc" }, { "category": "external", "summary": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", "url": "https://security.freebsd.org/advisories/FreeBSD-SA-21:07.openssl.asc" } ], "release_date": "2021-03-25T15:15:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-06T03:31:40.485617Z", "details": "CVE-2021-3449 is a server-side, DoS-only NULL pointer dereference in OpenSSL’s TLS 1.2 renegotiation path that affects only versions 1.1.1–1.1.1j; it has high attack complexity and no confidentiality or integrity impact. Exposure exists solely for services that both terminate TLS with those versions and have TLS 1.2 renegotiation enabled (not clients, not TLS 1.3, and not configurations without renegotiation). Given these narrow preconditions, the practical risk to centrally managed enterprise VM/server deployments is limited, so this issue can be safely deprioritized.", "product_ids": [ "CentOS-7:openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-devel-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-libs-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-static-1:1.1.1k-7.el7.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:openssl11-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-devel-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-devel-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-libs-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-libs-1:1.1.1k-7.el7.x86_64", "CentOS-7:openssl11-static-1:1.1.1k-7.el7.tuxcare.els1.x86_64", "CentOS-7:openssl11-static-1:1.1.1k-7.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }