Memory Access Issue in OpenSSL Affects Certificate Name Checks
CVE-2024-6119

7.5HIGH

Key Information:

Vendor: OpenSSL
Status: OpenSSL
Vendor: CVE Published:; 3 September 2024

What is CVE-2024-6119?

A vulnerability in OpenSSL allows applications performing certificate name checks, such as those in TLS clients, to read an invalid memory address. This may lead to an abnormal termination of the application process, potentially resulting in a denial of service. The issue arises when comparing the expected name with an 'otherName' subject alternative name of an X.509 certificate. Although basic certificate chain validation is unaffected, applications specifying an expected DNS name, Email address, or IP address are at risk. Notably, TLS servers are generally not impacted, as they typically do not perform name checks against reference identifiers. The FIPS modules in versions 3.3, 3.2, 3.1, and 3.0 remain unaffected.

References

https://openssl-library.org/news/secadv/20240903.txt

https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2...

https://github.com/openssl/openssl/commit/05f360d9e849a1b...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2024