Memory Access Issue in OpenSSL Affects Certificate Name Checks
CVE-2024-6119

7.5HIGH

Key Information:

Vendor

OpenSSL

Status
Vendor
CVE Published:
3 September 2024

What is CVE-2024-6119?

A vulnerability in OpenSSL allows applications performing certificate name checks, such as those in TLS clients, to read an invalid memory address. This may lead to an abnormal termination of the application process, potentially resulting in a denial of service. The issue arises when comparing the expected name with an 'otherName' subject alternative name of an X.509 certificate. Although basic certificate chain validation is unaffected, applications specifying an expected DNS name, Email address, or IP address are at risk. Notably, TLS servers are generally not impacted, as they typically do not perform name checks against reference identifiers. The FIPS modules in versions 3.3, 3.2, 3.1, and 3.0 remain unaffected.

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-6119 : Memory Access Issue in OpenSSL Affects Certificate Name Checks