The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
El flag X509_V_FLAG_X509_STRICT permite llevar a cabo comprobaciones de seguridad adicionales de los certificados presentes en una cadena de certificados. No está establecido por defecto. A partir de la versión 1.1.1h de OpenSSL, se añadió como comprobación estricta adicional la de no permitir certificados en la cadena que tengan parámetros de curva elíptica codificados explícitamente. Un error en la implementación de esta comprobación significaba que el resultado de una comprobación previa para confirmar que los certificados de la cadena son certificados de CA válidos fueron sobrescritos. De este modo, se omite la comprobación de que los certificados que no son de CA no deben poder emitir otros certificados. Si se ha configurado un "purpose", se presenta la posibilidad de comprobar posteriormente que el certificado es una CA válida. Todos los valores de "purpose" implementados en libcrypto llevan a cabo esta comprobación. Por lo tanto, cuando se establece un propósito, la cadena de certificados seguirá siendo rechazada inclusive cuando se haya usado el flag strict. Se establece un propósito por defecto en las rutinas de verificación de certificados de cliente servidor de libssl, pero puede ser anulado o eliminado por una aplicación. Para que se vea afectada, una aplicación debe establecer explícitamente el flag de verificación X509_V_FLAG_X509_STRICT y no establecer un propósito para la verificación de certificados o, en el caso de las aplicaciones de cliente o servidor TLS, anular el propósito por defecto. Este problema afecta a las versiones 1.1.1h y posteriores de OpenSSL. Los usuarios de estas versiones deben actualizar a OpenSSL versión 1.1.1k. OpenSSL versión 1.0.2 no está afectado por este problema. Corregido en OpenSSL versión 1.1.1k (Afectadas versiones 1.1.1h-1.1.1j)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | NONE |
AV:N/AC:M/Au:N/C:P/I:P/A:N
| Access Vector | NETWORK |
|---|---|
| Access Complexity | MEDIUM |
| Authentication | NONE |
| Confidentiality Impact | PARTIAL |
| Integrity Impact | PARTIAL |
| Availability Impact | NONE |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-295
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| openssl | openssl | * | <built-in method update of dict object at 0x72a9a3a6e480> | Application |
| freebsd | freebsd | 12.2 | <built-in method update of dict object at 0x72a99a3bba00> | Operating System |
| freebsd | freebsd | 12.2 | <built-in method update of dict object at 0x72a9cc678440> | Operating System |
| freebsd | freebsd | 12.2 | <built-in method update of dict object at 0x72a9a1f84380> | Operating System |
| netapp | santricity_smi-s_provider_firmware | - | <built-in method update of dict object at 0x72a9a3a6e200> | Operating System |
| netapp | storagegrid_firmware | - | <built-in method update of dict object at 0x72a9a3a6e1c0> | Operating System |
| windriver | linux | - | <built-in method update of dict object at 0x72a99a3bb240> | Operating System |
| windriver | linux | 17.0 | <built-in method update of dict object at 0x72a9a1f84840> | Operating System |
| windriver | linux | 18.0 | <built-in method update of dict object at 0x72a9ae87df80> | Operating System |
| windriver | linux | 19.0 | <built-in method update of dict object at 0x72a9a3a6e340> | Operating System |
| netapp | cloud_volumes_ontap_mediator | - | <built-in method update of dict object at 0x72a958196ec0> | Application |
| netapp | oncommand_workflow_automation | - | <built-in method update of dict object at 0x72a9a3f4b5c0> | Application |
| netapp | ontap_select_deploy_administration_utility | - | <built-in method update of dict object at 0x72a9ae87cf00> | Application |
| netapp | storagegrid | - | <built-in method update of dict object at 0x72a9a3365940> | Application |
| fedoraproject | fedora | 34 | <built-in method update of dict object at 0x72a9a1f7bb80> | Operating System |
| tenable | nessus | * | <built-in method update of dict object at 0x72a9a1f7b6c0> | Application |
| tenable | nessus_agent | * | <built-in method update of dict object at 0x72a9ae87d940> | Application |
| tenable | nessus_network_monitor | 5.11.0 | <built-in method update of dict object at 0x72a99a3bb400> | Application |
| tenable | nessus_network_monitor | 5.11.1 | <built-in method update of dict object at 0x72a9a1f84700> | Application |
| tenable | nessus_network_monitor | 5.12.0 | <built-in method update of dict object at 0x72a9cc678640> | Application |
| tenable | nessus_network_monitor | 5.12.1 | <built-in method update of dict object at 0x72a9af9a9ac0> | Application |
| tenable | nessus_network_monitor | 5.13.0 | <built-in method update of dict object at 0x72a99a3ba3c0> | Application |
| oracle | commerce_guided_search | 11.3.2 | <built-in method update of dict object at 0x72a9a1f7bd00> | Application |
| oracle | enterprise_manager_for_storage_management | 13.4.0.0 | <built-in method update of dict object at 0x72a9ae87d300> | Application |
| oracle | graalvm | 19.3.5 | <built-in method update of dict object at 0x72a9ae87d140> | Application |
| oracle | graalvm | 20.3.1.2 | <built-in method update of dict object at 0x72a99b9b8b80> | Application |
| oracle | graalvm | 21.0.0.2 | <built-in method update of dict object at 0x72a99a3bbc40> | Application |
| oracle | jd_edwards_enterpriseone_tools | * | <built-in method update of dict object at 0x72a99a3bbb80> | Application |
| oracle | jd_edwards_world_security | a9.4 | <built-in method update of dict object at 0x72a99a3bb540> | Application |
| oracle | mysql_connectors | * | <built-in method update of dict object at 0x72a99a3bbd80> | Application |
| oracle | mysql_enterprise_monitor | * | <built-in method update of dict object at 0x72a99a3bbe80> | Application |
| oracle | mysql_server | * | <built-in method update of dict object at 0x72a99a3bb8c0> | Application |
| oracle | mysql_server | * | <built-in method update of dict object at 0x72a9b0c90f40> | Application |
| oracle | mysql_workbench | * | <built-in method update of dict object at 0x72a99b9b8c40> | Application |
| oracle | peoplesoft_enterprise_peopletools | * | <built-in method update of dict object at 0x72a99a3bbbc0> | Application |
| oracle | secure_backup | * | <built-in method update of dict object at 0x72a99a3bbe00> | Application |
| oracle | secure_global_desktop | 5.6 | <built-in method update of dict object at 0x72a99a3cc180> | Application |
| oracle | weblogic_server | 12.2.1.4.0 | <built-in method update of dict object at 0x72a9b0b6a840> | Application |
| oracle | weblogic_server | 14.1.1.0.0 | <built-in method update of dict object at 0x72a99b972080> | Application |
| mcafee | web_gateway | 8.2.19 | <built-in method update of dict object at 0x72a99a3bbac0> | Application |
| mcafee | web_gateway | 9.2.10 | <built-in method update of dict object at 0x72a9a33cf840> | Application |
| mcafee | web_gateway | 10.1.1 | <built-in method update of dict object at 0x72a99b907640> | Application |
| mcafee | web_gateway_cloud_service | 8.2.19 | <built-in method update of dict object at 0x72a99a3ce080> | Application |
| mcafee | web_gateway_cloud_service | 9.2.10 | <built-in method update of dict object at 0x72a99a3cc140> | Application |
| mcafee | web_gateway_cloud_service | 10.1.1 | <built-in method update of dict object at 0x72a99a3cc1c0> | Application |
| sonicwall | sma100_firmware | * | <built-in method update of dict object at 0x72a9cc67b580> | Operating System |
| sonicwall | capture_client | * | <built-in method update of dict object at 0x72a99a3bb680> | Application |
| sonicwall | email_security | * | <built-in method update of dict object at 0x72a99a3ccec0> | Application |
| sonicwall | sonicos | * | <built-in method update of dict object at 0x72a99a3bb340> | Operating System |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a99a3bbc80> | Application |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a99a3bbe40> | Application |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a99a3bb6c0> | Application |
| nodejs | node.js | * | <built-in method update of dict object at 0x72a9e416c8c0> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:freebsd:freebsd:12.2:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:freebsd:freebsd:12.2:p1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:freebsd:freebsd:12.2:p2:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:netapp:santricity_smi-s_provider_firmware:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:netapp:storagegrid_firmware:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:netapp:storagegrid:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:windriver:linux:-:*:*:*:cd:*:*:* |
| Yes | cpe:2.3:o:windriver:linux:17.0:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:windriver:linux:18.0:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:windriver:linux:19.0:*:*:*:lts:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:netapp:cloud_volumes_ontap_mediator:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_agent:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:* |
| Yes | cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:mcafee:web_gateway:8.2.19:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:web_gateway:9.2.10:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:web_gateway:10.1.1:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:web_gateway_cloud_service:8.2.19:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:web_gateway_cloud_service:9.2.10:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:web_gateway_cloud_service:10.1.1:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:sonicwall:sma100_firmware:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:sonicwall:sma100:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:sonicwall:capture_client:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| Yes | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |