#VU93424 Out-of-bounds read in OpenSSL - CVE-2024-5535


| Updated: 2025-02-05

Vulnerability identifier: #VU93424

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-5535

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the SSL_select_next_proto() function when using NPN. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read and perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.0.2s - 1.0.2p, 1.1.1d - 1.1.1p, 3.0.0 - 3.0.14, 3.1.0 - 3.1.6, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1

External links
https://www.openssl.org/news/secadv/20240627.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat JBoss Core Services Apache HTTP Server
Multiple vulnerabilities in OpenShift Logging 5.8
Dell Data Lakehouse System software update for third-party components
Anolis OS update for mysql:8.0 module
Anolis OS update for openssl
Multiple vulnerabilities in IBM Concert Software
openEuler 24.03 LTS update for compat-openssl11
Multiple vulnerabilities in IBM Guardium Data Protection
Multiple vulnerabilities in IBM Rational ClearQuest
Multiple vulnerabilities in IBM Rational ClearCase