Description
A denial-of-service condition exists in the default renegotiation configuration of TLSv1.2, triggered by malicious ClientHello requests.
Affected versions include:
- All OpenSSL 1.1.1 versions are affected by this issue
Organizations that develop products or services that utilize OpenSSL should integrate the fixes as soon as possible.
Organizations that use products that have embedded OpenSSL should monitor their vendor patch releases to see if they are affected and patch according to your normal priority patch window cycle unless you are running very sensitive applications in need of a very high level of CA assurance (CVE-2021-3450) or have internet-facing systems that could be targeted with hard-to-detect application-level denial-of-service attacks (CVE-2021-3449)
