Bug 2274020 (CVE-2024-2511)
Summary: | CVE-2024-2511 openssl: Unbounded memory growth with session handling in TLSv1.3 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | OpenSSL 3.2.2, OpenSSL 3.1.6, OpenSSL 3.0.14, OpenSSL 1.1.1y | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in OpenSSL. A malicious client can trigger an uncontrolled memory consumption, resulting in a Denial of Service. This issue occurs due to the OpenSSL's TLSv3.1 session cache going into an incorrect state, leading to it failing to flush properly as it fills. OpenSSL must be configured with the non-default SSL_OP_NO_TICKET option enabled to be vulnerable. This issue only affects TLSv1.3 servers, while TLS clients are not affected.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2274021, 2274022, 2274023, 2274024 | ||
Bug Blocks: | 2274025 |
Description
Marco Benatto
2024-04-08 15:28:23 UTC
Created edk2 tracking bugs for this issue: Affects: fedora-all [bug 2274024] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 2274023] Created openssl11 tracking bugs for this issue: Affects: epel-all [bug 2274022] Created openssl3 tracking bugs for this issue: Affects: epel-all [bug 2274021] |