The OpenSSL developers have released fixes for three vulnerabilities in their project, two of these vulnerabilities can be exploited for Denial of Service (DoS) attacks.

The most serious of the vulnerabilities, (CVE-2021-23841) is a null pointer dereference vulnerability that can result in a crash and a DoS condition.

Google Project Zero security researcher Tavis Ormandy has reported the issue and the OpenSSL developers have fixed it in OpenSSL 1.1.1j. This release also fixes an integer overflow vulnerability (CVE-2021-23840), which can also lead to a crash.

Trustwave reported another issue (CVE-2021-23839) in the OpenSSL project - servers using OpenSSL 1.0.2 are vulnerable to SSL version rollback attacks. However, the attack can only be launched against certain configurations, and the vulnerability does not impact OpenSSL 1.1.1. The issue was fixed in version 1.0.2y, but this version of OpenSSL is no longer supported, so the update is only available to premium support customers.

Source: securitylab.ru