SB2024072329 - Multiple vulnerabilities in Botan
Published: July 23, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Certificate Validation (CVE-ID: CVE-2024-39312)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the Name Constraint Decoding bug. A remote attacker can cause the target system to accept arbitrary certificates.
2) Asymmetric Resource Consumption (Amplification) (CVE-ID: CVE-2024-34702)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive name constraints. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86
- https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j
- https://github.com/randombit/botan/pull/4034
- https://github.com/randombit/botan/pull/4045
- https://github.com/randombit/botan/pull/4047
- https://github.com/randombit/botan/pull/4052
- https://github.com/randombit/botan/pull/4186
- https://github.com/randombit/botan/pull/4187
- https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e
- https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac
- https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1
- https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf
- https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41
- https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8