The OpenSSL Project on Tuesday announced the availability of patches for three vulnerabilities, including two that can be exploited for denial-of-service (DoS) attacks and one related to incorrect SSLv2 rollback protection.
The most serious of the vulnerabilities, with a severity rating of moderate, is CVE-2021-23841, a NULL pointer dereference issue that can result in a crash and a DoS condition. The security hole is related to a function (X509_issuer_and_serial_hash) that is never called directly by OpenSSL itself, which means it only impacts applications that use the function directly with certificates obtained from untrusted sources.
The flaw was reported to OpenSSL developers by Google Project Zero researcher Tavis Ormandy and it has been patched with the release of OpenSSL 1.1.1j. Versions 1.1.1i and earlier are impacted.
OpenSSL 1.1.1j also fixes a low-severity integer overflow issue that can also lead to a crash. The bug, tracked as CVE-2021-23840, was identified by Paul Kehrer.
Another low-severity issue, CVE-2021-23839, was reported to the OpenSSL Project by researchers at cybersecurity firm Trustwave, who discovered that servers using OpenSSL 1.0.2 are vulnerable to SSL version rollback attacks. However, an attack can only be launched against certain configurations and OpenSSL 1.1.1 is not impacted.
CVE-2021-23839 has been patched in version 1.0.2y. However, OpenSSL 1.0.2 is no longer supported so the update is only available to premium support customers.
OpenSSL has come a long way in terms of security since the disclosure of the vulnerability dubbed Heartbleed back in 2014. Only three vulnerabilities were patched in 2020, and only two of those, which could be exploited for DoS attacks, were rated high severity. No high-severity issues were fixed in OpenSSL in 2018 and 2019.
Related: Evolution of OpenSSL Security After Heartbleed
Related: Cybersecurity Agencies Warn of High-Severity OpenSSL Vulnerability
Related: OpenSSL Ships ‘High Severity’ Security Patch
Related: High-Severity Vulnerability in OpenSSL Allows DoS Attacks