Memory Access Issue in OpenSSL Affects Certificate Name Checks

CVE-2024-6119

Summary

A vulnerability in OpenSSL allows applications performing certificate name checks, such as those in TLS clients, to read an invalid memory address. This may lead to an abnormal termination of the application process, potentially resulting in a denial of service. The issue arises when comparing the expected name with an 'otherName' subject alternative name of an X.509 certificate. Although basic certificate chain validation is unaffected, applications specifying an expected DNS name, Email address, or IP address are at risk. Notably, TLS servers are generally not impacted, as they typically do not perform name checks against reference identifiers. The FIPS modules in versions 3.3, 3.2, 3.1, and 3.0 remain unaffected.

References