csaf_certbund - wid-sec-w-2024-1469

wid-sec-w-2024-1469

Vulnerability from csaf_certbund

Published

2024-06-26 22:00

Modified

2025-08-04 22:00

Summary

OpenSSL: Schwachstelle ermöglicht Denial of Service und Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

OpenSSL ist eine im Quelltext frei verfügbare Bibliothek, die Secure Sockets Layer (SSL) und Transport Layer Security (TLS) implementiert.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um einen Denial of Service Angriff durchzuführen und Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "OpenSSL ist eine im Quelltext frei verf\u00fcgbare Bibliothek, die Secure Sockets Layer (SSL) und Transport Layer Security (TLS) implementiert.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren und Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1469 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1469.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1469 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1469"
      },
      {
        "category": "external",
        "summary": "OpenSSL Security Advisory vom 2024-06-26",
        "url": "https://www.openssl.org/news/secadv/20240627.txt"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2024-2591 vom 2024-07-23",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2591.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2635-1 vom 2024-07-30",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/EAYPMV3WQ7VYZOAFKQ3QLIE6JSVJEI32/"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7162032 vom 2024-07-31",
        "url": "https://www.ibm.com/support/pages/node/7162032"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6937-1 vom 2024-07-31",
        "url": "https://ubuntu.com/security/notices/USN-6937-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2761-1 vom 2024-08-06",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019110.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2891-1 vom 2024-08-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019179.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2024-2604 vom 2024-08-13",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2024-2621 vom 2024-08-13",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2621.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2909-1 vom 2024-08-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019199.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2927-1 vom 2024-08-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019203.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2931-1 vom 2024-08-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019207.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2933-1 vom 2024-08-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019206.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2953-1 vom 2024-08-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019221.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2989-1 vom 2024-08-20",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019296.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2991-1 vom 2024-08-20",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019295.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:3019-1 vom 2024-08-27",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ROZGZZCD7XE2EPPAZ2CXAEPDXGEWCU5O/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:3019-1 vom 2024-08-27",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ROZGZZCD7XE2EPPAZ2CXAEPDXGEWCU5O/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:3119-1 vom 2024-09-03",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019346.html"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-7D5C1BCC78 vom 2024-09-12",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-7d5c1bcc78"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASOPENSSL-SNAPSAFE-2024-006 vom 2024-09-18",
        "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2024-006.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:7848 vom 2024-10-09",
        "url": "https://access.redhat.com/errata/RHSA-2024:7848"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:7846 vom 2024-10-09",
        "url": "https://access.redhat.com/errata/RHSA-2024:7846"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:7847 vom 2024-10-09",
        "url": "https://access.redhat.com/errata/RHSA-2024:7847"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2024-7848 vom 2024-10-10",
        "url": "https://linux.oracle.com/errata/ELSA-2024-7848.html"
      },
      {
        "category": "external",
        "summary": "Dell Security Advisory DSA-2024-422 vom 2024-10-10",
        "url": "https://www.dell.com/support/kbdoc/de-de/000234730/dsa-2024-422-security-update-for-dell-networker-vproxy-multiple-component-vulnerabilities"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7173018 vom 2024-10-14",
        "url": "https://www.ibm.com/support/pages/node/7173018"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2024-12786 vom 2024-10-23",
        "url": "https://linux.oracle.com/errata/ELSA-2024-12786.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:8318 vom 2024-10-23",
        "url": "https://access.redhat.com/errata/RHSA-2024:8318"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3942 vom 2024-10-31",
        "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin",
        "url": "https://www.ibm.com/support/pages/node/7174634"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:9333 vom 2024-11-12",
        "url": "https://access.redhat.com/errata/RHSA-2024:9333"
      },
      {
        "category": "external",
        "summary": "Insyde Security Advisory INSYDE-SA-2024012 vom 2024-11-12",
        "url": "https://www.insyde.com/security-pledge/SA-2024012"
      },
      {
        "category": "external",
        "summary": "HPE Security Bulletin vom 2024-11-14",
        "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbux04744en_us\u0026docLocale=en_US"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:10135 vom 2024-11-21",
        "url": "https://access.redhat.com/errata/RHSA-2024:10135"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7178065 vom 2024-12-06",
        "url": "https://www.ibm.com/support/pages/node/7178065"
      },
      {
        "category": "external",
        "summary": "Hitachi Vulnerability Information HITACHI-SEC-2024-150 vom 2024-12-17",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-150/index.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:10990 vom 2025-01-15",
        "url": "https://access.redhat.com/errata/RHSA-2024:10990"
      },
      {
        "category": "external",
        "summary": "Hitachi Vulnerability Information HITACHI-SEC-2025-107 vom 2025-01-29",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-107/index.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7182192 vom 2025-01-31",
        "url": "https://www.ibm.com/support/pages/node/7182192"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2025-2744 vom 2025-02-04",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2744.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2025-2743 vom 2025-02-04",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2743.html"
      },
      {
        "category": "external",
        "summary": "SolarWinds Platform 2025.1 release notes vom 2025-02-11",
        "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2025-1_release_notes.htm"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7183572 vom 2025-02-18",
        "url": "https://www.ibm.com/support/pages/node/7183572"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:1671 vom 2025-02-19",
        "url": "https://access.redhat.com/errata/RHSA-2025:1671"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2025-9176CC66C2 vom 2025-02-21",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-9176cc66c2"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7182395 vom 2025-03-04",
        "url": "https://www.ibm.com/support/pages/node/7182395"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7185244 vom 2025-03-10",
        "url": "https://www.ibm.com/support/pages/node/7185244"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7185261 vom 2025-03-10",
        "url": "https://www.ibm.com/support/pages/node/7185261"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7184919 vom 2025-03-28",
        "url": "https://www.ibm.com/support/pages/node/7184919"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3452 vom 2025-04-03",
        "url": "https://access.redhat.com/errata/RHSA-2025:3452"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3453 vom 2025-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2025:3453"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3666 vom 2025-04-08",
        "url": "https://access.redhat.com/errata/RHSA-2025:3666"
      },
      {
        "category": "external",
        "summary": "Dell Security Advisory DSA-2025-020 vom 2025-04-10",
        "url": "https://www.dell.com/support/kbdoc/000250484"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7230557 vom 2025-04-10",
        "url": "https://www.ibm.com/support/pages/node/7230557"
      },
      {
        "category": "external",
        "summary": "XEROX Security Advisory XRX25-011 vom 2025-05-23",
        "url": "https://security.business.xerox.com/wp-content/uploads/2025/05/Xerox-Security-Bulletin-XRX25-011-for-Xerox-FreeFlow-Print-Server-v9.pdf"
      },
      {
        "category": "external",
        "summary": "XEROX Security Advisory XRX25-010 vom 2025-05-23",
        "url": "https://security.business.xerox.com/wp-content/uploads/2025/05/Xerox-Security-Bulletin-XRX25-010-for-Xerox-FreeFlow-Print-Server-v7.pdf"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:20014-1 vom 2025-06-04",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021360.html"
      },
      {
        "category": "external",
        "summary": "Dell Security Advisory DSA-2025-255 vom 2025-06-24",
        "url": "https://www.dell.com/support/kbdoc/000335103"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7236419 vom 2025-06-30",
        "url": "https://www.ibm.com/support/pages/node/7236419"
      },
      {
        "category": "external",
        "summary": "Security Update for Dell PowerProtect Data Domain",
        "url": "https://www.dell.com/support/kbdoc/en-us/000348708/dsa-2025-159-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
      }
    ],
    "source_lang": "en-US",
    "title": "OpenSSL: Schwachstelle erm\u00f6glicht Denial of Service und Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2025-08-04T22:00:00.000+00:00",
      "generator": {
        "date": "2025-08-05T07:20:05.280+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2024-1469",
      "initial_release_date": "2024-06-26T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-06-26T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-07-22T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-07-29T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-30T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-07-31T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-08-05T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-08-13T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE und Amazon aufgenommen"
        },
        {
          "date": "2024-08-14T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-08-15T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-08-18T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-08-20T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-08-27T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-09-03T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-09-12T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2024-09-18T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-10-09T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-10-13T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-10-22T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2024-10-23T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-10-30T23:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-10-31T23:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-11-11T23:00:00.000+00:00",
          "number": "22",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-11-12T23:00:00.000+00:00",
          "number": "23",
          "summary": "Neue Updates von Insyde aufgenommen"
        },
        {
          "date": "2024-11-14T23:00:00.000+00:00",
          "number": "24",
          "summary": "Neue Updates von HP aufgenommen"
        },
        {
          "date": "2024-11-20T23:00:00.000+00:00",
          "number": "25",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-12-08T23:00:00.000+00:00",
          "number": "26",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-12-17T23:00:00.000+00:00",
          "number": "27",
          "summary": "Neue Updates von HITACHI aufgenommen"
        },
        {
          "date": "2025-01-14T23:00:00.000+00:00",
          "number": "28",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-01-28T23:00:00.000+00:00",
          "number": "29",
          "summary": "Neue Updates von HITACHI aufgenommen"
        },
        {
          "date": "2025-01-30T23:00:00.000+00:00",
          "number": "30",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-02-04T23:00:00.000+00:00",
          "number": "31",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2025-02-10T23:00:00.000+00:00",
          "number": "32",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2025-02-18T23:00:00.000+00:00",
          "number": "33",
          "summary": "Neue Updates von IBM und IBM-APAR aufgenommen"
        },
        {
          "date": "2025-02-23T23:00:00.000+00:00",
          "number": "34",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2025-03-04T23:00:00.000+00:00",
          "number": "35",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-03-10T23:00:00.000+00:00",
          "number": "36",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-03-30T22:00:00.000+00:00",
          "number": "37",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-02T22:00:00.000+00:00",
          "number": "38",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-04-07T22:00:00.000+00:00",
          "number": "39",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-04-09T22:00:00.000+00:00",
          "number": "40",
          "summary": "Neue Updates von Dell aufgenommen"
        },
        {
          "date": "2025-05-22T22:00:00.000+00:00",
          "number": "41",
          "summary": "Neue Updates von XEROX aufgenommen"
        },
        {
          "date": "2025-06-04T22:00:00.000+00:00",
          "number": "42",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-06-23T22:00:00.000+00:00",
          "number": "43",
          "summary": "Neue Updates von Dell aufgenommen"
        },
        {
          "date": "2025-06-30T22:00:00.000+00:00",
          "number": "44",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-08-04T22:00:00.000+00:00",
          "number": "45",
          "summary": "Neue Updates von Dell aufgenommen"
        }
      ],
      "status": "final",
      "version": "45"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Dell BIOS",
            "product": {
              "name": "Dell BIOS",
              "product_id": "T035626",
              "product_identification_helper": {
                "cpe": "cpe:/h:dell:bios:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Dell Computer",
            "product": {
              "name": "Dell Computer",
              "product_id": "T036868",
              "product_identification_helper": {
                "cpe": "cpe:/o:dell:dell_computer:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "T40",
                "product": {
                  "name": "Dell PowerEdge T40",
                  "product_id": "T027537",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:dell:poweredge:t40"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "PowerEdge"
          },
          {
            "category": "product_name",
            "name": "Dell PowerProtect Data Domain",
            "product": {
              "name": "Dell PowerProtect Data Domain",
              "product_id": "T045852",
              "product_identification_helper": {
                "cpe": "cpe:/a:dell:powerprotect_data_domain:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Dell PowerProtect Data Domain Management Center",
            "product": {
              "name": "Dell PowerProtect Data Domain Management Center",
              "product_id": "T045853",
              "product_identification_helper": {
                "cpe": "cpe:/a:dell:powerprotect_data_domain_management_center:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Dell PowerProtect Data Domain OS",
            "product": {
              "name": "Dell PowerProtect Data Domain OS",
              "product_id": "T045854",
              "product_identification_helper": {
                "cpe": "cpe:/o:dell:powerprotect_data_domain_os:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Dell"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "OpenSSL Software \u003cA.03.00.15.001",
                "product": {
                  "name": "HPE HP-UX OpenSSL Software \u003cA.03.00.15.001",
                  "product_id": "T039192"
                }
              },
              {
                "category": "product_version",
                "name": "OpenSSL Software A.03.00.15.001",
                "product": {
                  "name": "HPE HP-UX OpenSSL Software A.03.00.15.001",
                  "product_id": "T039192-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:hp:hp-ux:openssl_software__a.03.00.15.001"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "HP-UX"
          }
        ],
        "category": "vendor",
        "name": "HPE"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Hitachi Ops Center",
                "product": {
                  "name": "Hitachi Ops Center",
                  "product_id": "T038840",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:ops_center:-"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0.3-00",
                "product": {
                  "name": "Hitachi Ops Center \u003c11.0.3-00",
                  "product_id": "T039867"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.3-00",
                "product": {
                  "name": "Hitachi Ops Center 11.0.3-00",
                  "product_id": "T039867-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:ops_center:11.0.3-00"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Ops Center"
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.3",
                "product": {
                  "name": "IBM AIX 7.3",
                  "product_id": "1139691",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:aix:7.3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.2",
                "product": {
                  "name": "IBM AIX 7.2",
                  "product_id": "434967",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:aix:7.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "AIX"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Certified Container",
                "product": {
                  "name": "IBM App Connect Enterprise Certified Container",
                  "product_id": "T037907",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:app_connect_enterprise:certified_container"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "App Connect Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.7",
                "product": {
                  "name": "IBM InfoSphere Information Server 11.7",
                  "product_id": "444803",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_information_server:11.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "InfoSphere Information Server"
          },
          {
            "category": "product_name",
            "name": "IBM MQ",
            "product": {
              "name": "IBM MQ",
              "product_id": "T036688",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:mq:operator"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "v10",
                "product": {
                  "name": "IBM Power Hardware Management Console v10",
                  "product_id": "T023373",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:hardware_management_console:v10"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Power Hardware Management Console"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.5.0 UP10 IF01",
                "product": {
                  "name": "IBM QRadar SIEM \u003c7.5.0 UP10 IF01",
                  "product_id": "T038741"
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0 UP10 IF01",
                "product": {
                  "name": "IBM QRadar SIEM 7.5.0 UP10 IF01",
                  "product_id": "T038741-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up10_if01"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.0.0.27",
                "product": {
                  "name": "IBM Rational Build Forge \u003c8.0.0.27",
                  "product_id": "T038286"
                }
              },
              {
                "category": "product_version",
                "name": "8.0.0.27",
                "product": {
                  "name": "IBM Rational Build Forge 8.0.0.27",
                  "product_id": "T038286-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:rational_build_forge:8.0.0.27"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Rational Build Forge"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.1.0.8",
                "product": {
                  "name": "IBM Rational ClearCase \u003c9.1.0.8",
                  "product_id": "T041577"
                }
              },
              {
                "category": "product_version",
                "name": "9.1.0.8",
                "product": {
                  "name": "IBM Rational ClearCase 9.1.0.8",
                  "product_id": "T041577-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:rational_clearcase:9.1.0.8"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.0.1.3",
                "product": {
                  "name": "IBM Rational ClearCase \u003c10.0.1.3",
                  "product_id": "T041578"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.1.3",
                "product": {
                  "name": "IBM Rational ClearCase 10.0.1.3",
                  "product_id": "T041578-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:rational_clearcase:10.0.1.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0.0.3",
                "product": {
                  "name": "IBM Rational ClearCase \u003c11.0.0.3",
                  "product_id": "T041579"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.0.3",
                "product": {
                  "name": "IBM Rational ClearCase 11.0.0.3",
                  "product_id": "T041579-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:rational_clearcase:11.0.0.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Rational ClearCase"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.0.7",
                "product": {
                  "name": "IBM Rational ClearQuest \u003c10.0.7",
                  "product_id": "T041698"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.7",
                "product": {
                  "name": "IBM Rational ClearQuest 10.0.7",
                  "product_id": "T041698-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:rational_clearquest:10.0.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cFix Pack 8 (9.1.0.8) for 9.1",
                "product": {
                  "name": "IBM Rational ClearQuest \u003cFix Pack 8 (9.1.0.8) for 9.1",
                  "product_id": "T041699"
                }
              },
              {
                "category": "product_version",
                "name": "Fix Pack 8 (9.1.0.8) for 9.1",
                "product": {
                  "name": "IBM Rational ClearQuest Fix Pack 8 (9.1.0.8) for 9.1",
                  "product_id": "T041699-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:rational_clearquest:fix_pack_8_%289.1.0.8%29_for_9.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Rational ClearQuest"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "12",
                "product": {
                  "name": "IBM Security Guardium 12.0",
                  "product_id": "T031092",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:security_guardium:12.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Guardium"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.1.17",
                "product": {
                  "name": "IBM Spectrum Protect Plus \u003c10.1.17",
                  "product_id": "T042730"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.17",
                "product": {
                  "name": "IBM Spectrum Protect Plus 10.1.17",
                  "product_id": "T042730-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spectrum_protect_plus:10.1.17"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Spectrum Protect Plus"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.1.9.7",
                "product": {
                  "name": "IBM Storage Scale System \u003c6.1.9.7",
                  "product_id": "T044961"
                }
              },
              {
                "category": "product_version",
                "name": "6.1.9.7",
                "product": {
                  "name": "IBM Storage Scale System 6.1.9.7",
                  "product_id": "T044961-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:ibm:storage_scale_system:6.1.9.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.2.3.0",
                "product": {
                  "name": "IBM Storage Scale System \u003c6.2.3.0",
                  "product_id": "T044962"
                }
              },
              {
                "category": "product_version",
                "name": "6.2.3.0",
                "product": {
                  "name": "IBM Storage Scale System 6.2.3.0",
                  "product_id": "T044962-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:ibm:storage_scale_system:6.2.3.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Storage Scale System"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.1",
                "product": {
                  "name": "IBM VIOS 3.1",
                  "product_id": "1039165",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:vios:3.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "4.1",
                "product": {
                  "name": "IBM VIOS 4.1",
                  "product_id": "1522854",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:vios:4.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "VIOS"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cRV24.06.3",
                "product": {
                  "name": "Insyde UEFI Firmware \u003cRV24.06.3",
                  "product_id": "T038993"
                }
              },
              {
                "category": "product_version",
                "name": "RV24.06.3",
                "product": {
                  "name": "Insyde UEFI Firmware RV24.06.3",
                  "product_id": "T038993-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:insyde:uefi:rv24.06.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cRV23.08.1",
                "product": {
                  "name": "Insyde UEFI Firmware \u003cRV23.08.1",
                  "product_id": "T038994"
                }
              },
              {
                "category": "product_version",
                "name": "RV23.08.1",
                "product": {
                  "name": "Insyde UEFI Firmware RV23.08.1",
                  "product_id": "T038994-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:insyde:uefi:rv23.08.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "UEFI Firmware"
          }
        ],
        "category": "vendor",
        "name": "Insyde"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.3.2",
                "product": {
                  "name": "Open Source OpenSSL \u003c3.3.2",
                  "product_id": "T035672"
                }
              },
              {
                "category": "product_version",
                "name": "3.3.2",
                "product": {
                  "name": "Open Source OpenSSL 3.3.2",
                  "product_id": "T035672-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:openssl:openssl:3.3.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.2.3",
                "product": {
                  "name": "Open Source OpenSSL \u003c3.2.3",
                  "product_id": "T035673"
                }
              },
              {
                "category": "product_version",
                "name": "3.2.3",
                "product": {
                  "name": "Open Source OpenSSL 3.2.3",
                  "product_id": "T035673-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:openssl:openssl:3.2.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.1.7",
                "product": {
                  "name": "Open Source OpenSSL \u003c3.1.7",
                  "product_id": "T035674"
                }
              },
              {
                "category": "product_version",
                "name": "3.1.7",
                "product": {
                  "name": "Open Source OpenSSL 3.1.7",
                  "product_id": "T035674-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:openssl:openssl:3.1.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.0.15",
                "product": {
                  "name": "Open Source OpenSSL \u003c3.0.15",
                  "product_id": "T035675"
                }
              },
              {
                "category": "product_version",
                "name": "3.0.15",
                "product": {
                  "name": "Open Source OpenSSL 3.0.15",
                  "product_id": "T035675-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:openssl:openssl:3.0.15"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.1.1za",
                "product": {
                  "name": "Open Source OpenSSL \u003c1.1.1za",
                  "product_id": "T035676"
                }
              },
              {
                "category": "product_version",
                "name": "1.1.1za",
                "product": {
                  "name": "Open Source OpenSSL 1.1.1za",
                  "product_id": "T035676-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:openssl:openssl:1.1.1za"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.0.2zk",
                "product": {
                  "name": "Open Source OpenSSL \u003c1.0.2zk",
                  "product_id": "T035677"
                }
              },
              {
                "category": "product_version",
                "name": "1.0.2zk",
                "product": {
                  "name": "Open Source OpenSSL 1.0.2zk",
                  "product_id": "T035677-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:openssl:openssl:1.0.2zk"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OpenSSL"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.4.62",
                "product": {
                  "name": "Red Hat JBoss Core Services \u003c2.4.62",
                  "product_id": "T042316"
                }
              },
              {
                "category": "product_version",
                "name": "2.4.62",
                "product": {
                  "name": "Red Hat JBoss Core Services 2.4.62",
                  "product_id": "T042316-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_core_services:2.4.62"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss Core Services"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Logging \u003c5.9.10",
                "product": {
                  "name": "Red Hat OpenShift Logging \u003c5.9.10",
                  "product_id": "T040352"
                }
              },
              {
                "category": "product_version",
                "name": "Logging 5.9.10",
                "product": {
                  "name": "Red Hat OpenShift Logging 5.9.10",
                  "product_id": "T040352-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:logging__5.9.10"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OpenShift"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2025.1",
                "product": {
                  "name": "SolarWinds Platform \u003c2025.1",
                  "product_id": "T040952"
                }
              },
              {
                "category": "product_version",
                "name": "2025.1",
                "product": {
                  "name": "SolarWinds Platform 2025.1",
                  "product_id": "T040952-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:solarwinds:orion_platform:2025.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Platform"
          }
        ],
        "category": "vendor",
        "name": "SolarWinds"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7",
                "product": {
                  "name": "Xerox FreeFlow Print Server 7",
                  "product_id": "T000872",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:xerox:freeflow_print_server:7"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9",
                "product": {
                  "name": "Xerox FreeFlow Print Server 9",
                  "product_id": "T002977",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:xerox:freeflow_print_server:9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FreeFlow Print Server"
          }
        ],
        "category": "vendor",
        "name": "Xerox"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-5535",
      "product_status": {
        "known_affected": [
          "T035677",
          "67646",
          "T036868",
          "T035672",
          "T002977",
          "T036688",
          "T004914",
          "T035676",
          "T035675",
          "T038741",
          "T038840",
          "T035674",
          "T035673",
          "1139691",
          "T042730",
          "T038286",
          "T039192",
          "T027537",
          "T031092",
          "T042316",
          "T000872",
          "T040952",
          "398363",
          "T037907",
          "T023373",
          "T040352",
          "434967",
          "T035626",
          "1039165",
          "1522854",
          "T039867",
          "74185",
          "T038994",
          "T038993",
          "T045853",
          "T044962",
          "T045852",
          "T044961",
          "T045854",
          "2951",
          "T002207",
          "T000126",
          "444803",
          "T041579",
          "T041578",
          "T041699",
          "T041577",
          "T041698"
        ]
      },
      "release_date": "2024-06-26T22:00:00.000+00:00",
      "title": "CVE-2024-5535"
    }
  ]
}

CVE-2024-5535 (GCVE-0-2024-5535)

Vulnerability from cvelistv5

Published

2024-06-27 10:30

Modified

2025-02-13 17:54

Severity ?

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.

References

►

URL

Tags

	https://www.openssl.org/news/secadv/20240627.txt	vendor-advisory
	https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c	patch
	https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e	patch
	https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37	patch
	https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c	patch
	https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87	patch
	https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c	patch
	http://www.openwall.com/lists/oss-security/2024/06/27/1
	http://www.openwall.com/lists/oss-security/2024/06/28/4
	https://security.netapp.com/advisory/ntap-20240712-0005/

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Version: 3.3.0 ≤ Version: 3.2.0 ≤ Version: 3.1.0 ≤ Version: 3.0.0 ≤ Version: 1.1.1 < 1.1.1za Version: 1.0.2 < 1.0.2zk

Show details on NVD website