CVE-2024-6119

EPSS 4.4%
Published 03.09.2024 16:15:07
Last modified 03.06.2025 10:51:54
Source openssl-security@openssl.org
Teams watchlist Login
Open Login

Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of
service.

Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.

Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a reference identifier (expected
identity), but rather extract the presented identity after checking the
certificate chain.  So TLS servers are generally not affected and the severity
of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

OpenSSL ≫ OpenSSL Version >= 3.0.0 < 3.0.15

OpenSSL ≫ OpenSSL Version >= 3.1.0 < 3.1.7

OpenSSL ≫ OpenSSL Version >= 3.2.0 < 3.2.3

OpenSSL ≫ OpenSSL Version >= 3.3.0 < 3.3.2

Netapp ≫ Active Iq Unified Manager Version- SwPlatformvmware_vsphere

Netapp ≫ Management Services For Element Software And Netapp Hci Version-

Netapp ≫ Ontap 9 Version-

Netapp ≫ Ontap Select Deploy Administration Utility Version-

Netapp ≫ Ontap Tools Version9 SwPlatformvmware_vsphere

Netapp ≫ Brocade Fabric Operating System Version-

Netapp ≫ H300s Firmware Version-

Netapp ≫ H300s Version-

Netapp ≫ H500s Firmware Version-

Netapp ≫ H500s Version-

Netapp ≫ H700s Firmware Version-

Netapp ≫ H700s Version-

Netapp ≫ H410s Firmware Version-

Netapp ≫ H410s Version-

Netapp ≫ H410c Firmware Version-

Netapp ≫ H410c Version-

Netapp ≫ H610c Firmware Version-

Netapp ≫ H610c Version-

Netapp ≫ H610s Firmware Version-

Netapp ≫ H610s Version-

Netapp ≫ H615c Version-

Netapp ≫ H615c Firmware Version-

Netapp ≫ Bootstrap Os Version-

Netapp ≫ Hci Compute Node Version-

Netapp ≫ A250 Firmware Version-

Netapp ≫ A250 Version-

Netapp ≫ 500f Firmware Version-

Netapp ≫ 500f Version-

Netapp ≫ C250 Firmware Version-

Netapp ≫ C250 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.4%	0.886

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f

Patch

https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6

Patch

https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2

Patch

https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0

Patch

https://openssl-library.org/news/secadv/20240903.txt

Vendor Advisory

http://www.openwall.com/lists/oss-security/2024/09/03/4

Mailing List