SUSE update for openvpn

1) Resource management error

EUVDB-ID: #VU92938

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-28882

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote authenticated client can make the server "keep the session" even when the server has been told to disconnect this client.

Mitigation

Update the affected package openvpn to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

openvpn-debugsource: before 2.3.8-16.32.1

openvpn-auth-pam-plugin: before 2.3.8-16.32.1

openvpn-debuginfo: before 2.3.8-16.32.1

openvpn-auth-pam-plugin-debuginfo: before 2.3.8-16.32.1

openvpn: before 2.3.8-16.32.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:openvpn-debugsource:*:*:*:*:*:suse_linux:*:
• cpe:2.3:o:suse:openvpn-auth-pam-plugin:*:*:*:*:*:suse_linux:*:
• cpe:2.3:o:suse:openvpn-debuginfo:*:*:*:*:*:suse_linux:*:
• cpe:2.3:o:suse:openvpn-auth-pam-plugin-debuginfo:*:*:*:*:*:suse_linux:*:
• cpe:2.3:o:suse:openvpn:*:*:*:*:*:suse_linux:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20243532-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.