CVE-2021-23839 in OpenSSL
Summary
by MITRE • 02/16/2021
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2026
The vulnerability described in CVE-2021-23839 represents a critical logical error in OpenSSL 1.0.2's implementation of SSLv2 protocol handling, specifically within the RSA padding validation mechanism. This flaw exists in the RSA_padding_check_SSLv23() function which is responsible for detecting version rollback attacks during SSLv2 negotiations. The issue manifests when a server configured to support both SSLv2 and newer TLS versions encounters a client attempting SSLv2 connection negotiation. According to security standards and protocol design principles, when clients supporting newer SSL/TLS versions attempt SSLv2 connections, they should use special padding formats that servers can detect to identify potential downgrade attacks. The vulnerability stems from inverted logic in the padding validation routine, causing servers to accept connections when malicious padding is present and reject legitimate SSLv2 connections when proper padding is absent. This represents a fundamental flaw in the security model as defined by CWE-254, which addresses weaknesses in cryptographic implementations, and aligns with ATT&CK technique T1071.401 for protocol manipulation and version rollback attacks. The vulnerability creates a false sense of security where servers accept potentially malicious downgrade attempts while rejecting legitimate secure connections.
The operational impact of this vulnerability extends beyond simple connection failures to create a significant security risk in environments where SSLv2 support is enabled, even though this protocol is considered deprecated and insecure. The issue affects OpenSSL 1.0.2 versions from 1.0.2s through 1.0.2x, with servers needing specific configuration to be vulnerable - they must have SSLv2 support compiled in, enabled at runtime, and configured with SSLv2 ciphersuites. This triadic requirement means the vulnerability is not commonly exploited but represents a serious risk in legacy systems where SSLv2 support remains enabled for backward compatibility. The flaw particularly affects systems where the server configuration allows SSLv2 connections while supporting newer protocols, creating a scenario where attackers can exploit the inverted logic to perform version rollback attacks without detection. Organizations with systems running vulnerable versions face potential man-in-the-middle attack scenarios where attackers can force protocol downgrade to SSLv2, bypassing modern security protections. This vulnerability impacts the integrity of the SSL/TLS handshake process and undermines the security assurances that should be provided during protocol negotiation.
Mitigation strategies for this vulnerability require immediate attention from system administrators and security teams managing affected OpenSSL 1.0.2 installations. The primary recommendation is to upgrade to OpenSSL 1.0.2y, which contains the fix for this logical error, or to migrate to OpenSSL 1.1.1j which completely removes SSLv2 support and therefore eliminates the risk entirely. Organizations should disable SSLv2 support at both compile-time and runtime configuration levels to prevent exploitation, as the vulnerability only manifests when all three conditions are met. Security teams should conduct comprehensive audits of their infrastructure to identify any remaining systems running vulnerable OpenSSL versions, particularly legacy applications that may not have received security updates. Additionally, monitoring systems should be configured to detect unusual connection patterns that might indicate attempted protocol downgrade attacks. The fix addresses the core issue by correcting the inverted logic in the RSA padding validation, ensuring that version rollback attempts are properly detected and rejected while allowing legitimate SSLv2 connections to proceed normally. This vulnerability also highlights the importance of thorough testing of security-critical cryptographic functions and demonstrates how subtle logical errors can create significant security weaknesses. Organizations should also review their application code that might directly call the RSA_padding_check_SSLv23() function or use RSA_SSLV23_PADDING mode, as these direct usages may also be affected even though the protocol itself is not supported in newer versions. The vulnerability serves as a reminder of the critical importance of maintaining current security patches and the risks associated with running unsupported software versions that no longer receive security updates.