CVE-2024-4741

Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause
memory to be accessed that was previously freed in some situations

Impact summary: A use after free can have a range of potential consequences such
as the corruption of valid data, crashes or execution of arbitrary code.
However, only applications that directly call the SSL_free_buffers function are
affected by this issue. Applications that do not call this function are not
vulnerable. Our investigations indicate that this function is rarely used by
applications.

The SSL_free_buffers function is used to free the internal OpenSSL buffer used
when processing an incoming record from the network. The call is only expected
to succeed if the buffer is not currently in use. However, two scenarios have
been identified where the buffer is freed even when still in use.

The first scenario occurs where a record header has been received from the
network and processed by OpenSSL, but the full record body has not yet arrived.
In this case calling SSL_free_buffers will succeed even though a record has only
been partially processed and the buffer is still in use.

The second scenario occurs where a full record containing application data has
been received and processed by OpenSSL but the application has only read part of
this data. Again a call to SSL_free_buffers will succeed even though the buffer
is still in use.

While these scenarios could occur accidentally during normal operation a
malicious attacker could attempt to engineer a stituation where this occurs.
We are not aware of this issue being actively exploited.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
opensslCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
opensslopenssl
1.1.1y <
𝑥
< 1.1.1y
opensslopenssl
3.0.14 <
𝑥
< 3.0.14
opensslopenssl
3.1.6 <
𝑥
< 3.1.6
opensslopenssl
3.2.2 <
𝑥
< 3.2.2
opensslopenssl
3.3.1 <
𝑥
< 3.3.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bullseye
vulnerable
buster
postponed
bullseye (security)
1.1.1w-0+deb11u3
fixed
bookworm
3.0.16-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
trixie
3.5.0-2
fixed
sid
3.5.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
plucky
needed
oracular
ignored
noble
needed
mantic
ignored
jammy
needed
focal
needed
bionic
needs-triage
xenial
needs-triage
nodejs
plucky
not-affected
oracular
not-affected
noble
not-affected
mantic
not-affected
jammy
needed
focal
not-affected
bionic
needs-triage
xenial
needs-triage
trusty
not-affected
openssl
plucky
Fixed 3.2.2-1ubuntu1
released
oracular
Fixed 3.2.2-1ubuntu1
released
noble
Fixed 3.0.13-0ubuntu3.2
released
mantic
ignored
jammy
Fixed 3.0.2-0ubuntu1.17
released
focal
Fixed 1.1.1f-1ubuntu2.23
released
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
openssl1.0
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
not-affected
Common Weakness Enumeration
References
https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177
https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d
https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac
https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8
https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4
https://www.openssl.org/news/secadv/20240528.txt