CVE-2024-2511

Issue summary: Some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger
unbounded memory growth that would lead to a Denial of Service

This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is
being used (but not if early_data support is also configured and the default
anti-replay protection is in use). In this case, under certain conditions, the
session cache can get into an incorrect state and it will fail to flush properly
as it fills. The session cache will continue to grow in an unbounded manner. A
malicious client could deliberately create the scenario for this failure to
force a Denial of Service. It may also happen by accident in normal operation.

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS
clients.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL
1.0.2 is also not affected by this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
opensslCNA
---
---
CISA-ADPADP
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
Debian logo
Debian Releases
Debian Product
Codename
openssl
bullseye
vulnerable
buster
postponed
bullseye (security)
1.1.1w-0+deb11u3
fixed
bookworm
3.0.16-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
trixie
3.5.0-1
fixed
sid
3.5.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
plucky
needed
oracular
needed
noble
needed
mantic
ignored
jammy
needed
focal
needed
bionic
needs-triage
xenial
needs-triage
nodejs
plucky
not-affected
oracular
not-affected
noble
not-affected
mantic
not-affected
jammy
needed
focal
not-affected
bionic
needs-triage
xenial
needs-triage
trusty
not-affected
openssl
plucky
Fixed 3.2.2-1ubuntu1
released
oracular
Fixed 3.2.2-1ubuntu1
released
noble
Fixed 3.0.13-0ubuntu3.2
released
mantic
ignored
jammy
Fixed 3.0.2-0ubuntu1.17
released
focal
Fixed 1.1.1f-1ubuntu2.23
released
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
openssl1.0
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
not-affected
Common Weakness Enumeration
References
https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640
https://www.openssl.org/news/secadv/20240408.txt
http://www.openwall.com/lists/oss-security/2024/04/08/5
https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640
https://security.netapp.com/advisory/ntap-20240503-0013/
https://www.openssl.org/news/secadv/20240408.txt