ClickCease New OpenSSL Vulnerability Leads to Denial of Service

Table of Contents

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

New OpenSSL Vulnerability Leads to Denial of Service

by Rohan Timalsina

September 16, 2024 - TuxCare expert team

A recently discovered flaw in OpenSSL, identified as CVE-2024-6119, could potentially lead to denial-of-service (DoS) attacks on applications that rely on OpenSSL for certificate validation. This article explores the specifics of this OpenSSL vulnerability, its impact, and the steps needed to protect affected systems.

 

CVE-2024-6119: The OpenSSL Vulnerability

 

The issue lies within the X.509 name checks performed by OpenSSL. When an application, such as a TLS client, performs certificate name checks against a server certificate, it may attempt to read an invalid memory address. This occurs when comparing the expected name with an otherName subject alternative name of an X.509 certificate. Such invalid memory access can cause the application to crash, leading to a denial-of-service situation.

Affected Systems: Primarily, TLS clients that check server certificates are impacted, as they may terminate abnormally when performing certificate name checks.

Cause: The flaw is triggered when the application specifies an expected DNS name, email address, or IP address for validation against the certificate’s alternative names.

Severity: The issue is classified as moderate because it typically affects client-side applications and not TLS servers, which generally do not perform name checks against reference identifiers.

It is important to note that basic certificate chain validation (such as checking signatures or dates) remain unaffected. This means that the primary threat posed by CVE-2024-6119 is the potential for a DoS attack rather than a compromise of the cryptographic integrity of the certificates themselves.

 

Who Is Affected?

 

This vulnerability does not affect all versions of OpenSSL. The following details highlight which versions are impacted:

Vulnerable Versions: OpenSSL 3.3, 3.2, 3.1, and 3.0 are affected by this flaw.

Unaffected Versions: OpenSSL 1.1.1 and 1.0.2, along with FIPS modules in 3.3, 3.2, 3.1, and 3.0, are not impacted.

Recommended Upgrades:

  • OpenSSL 3.3 users should upgrade to OpenSSL 3.3.2.
  • OpenSSL 3.2 users should upgrade to OpenSSL 3.2.3.
  • OpenSSL 3.1 users should upgrade to OpenSSL 3.1.7.
  • OpenSSL 3.0 users should upgrade to OpenSSL 3.0.15.

 

Available Updates

 

To safeguard your environment from this OpenSSL vulnerability, it is crucial to update to the latest recommended versions promptly. Several Linux distributions, including Ubuntu and Debian, have released security updates to address this vulnerability. Check your distribution’s security advisories for specific instructions on how to update OpenSSL.

Ubuntu Users: Canonical has issued security updates for Ubuntu 24.04 LTS and Ubuntu 22.04 LTS, addressing the OpenSSL vulnerability.

Debian Users: The Debian security team has also released a fix in the Debian 12 (Bookworm) stable distribution with version 3.0.14-1~deb12u2.

 

Addressing OpenSSL Vulnerabilities in Older Linux Versions

 

For systems running older Linux versions that no longer receive official updates, TuxCare’s Extended Lifecycle Support offers an alternative solution. This service provides security updates for over 140 packages, including OpenSSL, across various distributions such as CentOS (6, 7, and 8), CentOS Stream, Ubuntu 16.04, and Ubuntu 18.04.

Furthermore, TuxCare also offers LibCare, a live patching solution for OpenSSL and glibc, which enables automated vulnerability patching without needing to reboot the system. LibCare is available as an add-on tool to KernelCare Enterprise, a live kernel patching tool for all major Linux distributions, including Ubuntu, RHEL, CentOS, CentOS Stream, Debian, AlmaLinux, Rocky Linux, CloudLinux, Amazon Linux, Oracle Linux, and more.

Send questions to our Linux security experts to learn more about modernizing your Linux patching approach with automated and rebootless patching.

 

Source: USN-6986-1

Summary
New OpenSSL Vulnerability Leads to Denial of Service
Article Name
New OpenSSL Vulnerability Leads to Denial of Service
Description
Learn about recent OpenSSL vulnerability "CVE-2024-6119", its impact, and how to protect your systems with the latest security updates.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer