====================================================================

                               CERT-Renater

                    Note d'Information No. 2024/VULN351
_____________________________________________________________________

DATE                : 04/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running OpenSSL versions prior
                         to 3.3.2, 3.2.3, 3.1.7, 3.0.15.

=====================================================================
https://openssl-library.org/news/secadv/20240903.txt
_____________________________________________________________________


OpenSSL Security Advisory [3rd September 2024]
==============================================

Possible denial of service in X.509 name checks (CVE-2024-6119)
===============================================================

Severity: Moderate

Issue summary: Applications performing certificate name checks
(e.g., TLS clients checking server certificates) may attempt to read
an invalid memory address resulting in abnormal termination of the
application process.

Impact summary: Abnormal termination of an application can a cause
a denial of service.

Applications performing certificate name checks (e.g., TLS clients
checking server certificates) may attempt to read an invalid memory
address when comparing the expected name with an `otherName` subject
alternative name of an X.509 certificate. This may result in an
exception that terminates the application program.

Note that basic certificate chain validation (signatures, dates, ...)
is not affected, the denial of service can occur only when the
application also specifies an expected DNS name, Email address or
IP address.

TLS servers rarely solicit client certificates, and even when they
do, they generally don't perform a name check against a "reference
identifier" (expected identity), but rather extract the presented
identity after checking the certificate chain.  So TLS servers are
generally not affected and the severity of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this
issue.

OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue.

OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.2

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.3

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.7

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.15

This issue was reported on 16th June 2024 by David Benjamin
(Google), reiterating an AddressSanitizer issue raised on
30th September 2021.
The fix was developed by Viktor Dukhovni.

General Advisory Notes
======================

URL for this Security Advisory:
https://openssl-library.org/news/secadv/20240903.txt

Note: the online version of the advisory may be updated with
additional details over time.

For details of OpenSSL severity classifications please see:
https://openssl-library.org/policies/general/security-policy/

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================