2272883 – (CVE-2024-28836) CVE-2024-28836 Mbed-TLS: Denial of Service

Bug 2272883 (CVE-2024-28836) - CVE-2024-28836 Mbed-TLS: Denial of Service

Summary: CVE-2024-28836 Mbed-TLS: Denial of Service

Keywords:
Status:	NEW
Alias:	CVE-2024-28836
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2272884 2272885
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-03 04:58 UTC by Avinash Hanwate
Modified:	2024-04-03 04:59 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2024-04-03 04:58:51 UTC

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiating the TLS version on the server side, it can fall back to the TLS 1.2 implementation of the protocol if it is disabled. If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 client could put a TLS 1.3-only server into an infinite loop processing a TLS 1.2 ClientHello, resulting in a denial of service. If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client can successfully establish a TLS 1.2 connection with the server.

https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0
https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

Comment 1 Avinash Hanwate 2024-04-03 04:59:09 UTC

Created mbedtls tracking bugs for this issue:

Affects: epel-all [bug 2272885]
Affects: fedora-all [bug 2272884]

Note You need to log in before you can comment on or make changes to this bug.