An openSSL vulnerability has been found, that can affect Smart ID Digital Access component. This article describes how to handle the vulnerability.
This vulnerability can affect all versions of Hybrid Access Gateway and Digital Access from 5.13.x to 6.0.4.
According to an advisory published by OpenSSL, CVE-2021-3449 concerns a potential DoS vulnerability arising due to NULL pointer dereferencing that can cause an OpenSSL TLS server to crash if in the course of renegotiation the client transmits a malicious "ClientHello" message during the handshake between the server and a user.
More details can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449
In order to stay un-affected by this vulnerability in Hybrid Access Gateway and Digital Access, we strongly recommend you to disable the renegotiations in the Access points as shown below.
- In Digital Access Admin, go to Manage System > Access points > Edit Access point.
- Disable (uncheck) these options:
- Allow renegotiation
- Renegotiation DoS protection
- Go to Manage System > Access points > Manage Global access settings.
- Disable (uncheck) Enable legacy renegotiation.
- Click Save.