cve-2024-4741
Vulnerability from cvelistv5
Published
2024-11-13 10:20
Modified
2024-11-13 14:49
Severity ?
EPSS score ?
0.08% (0.21076)
Summary
Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
References
openssl-security@openssl.orghttps://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177
openssl-security@openssl.orghttps://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d
openssl-security@openssl.orghttps://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac
openssl-security@openssl.orghttps://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8
openssl-security@openssl.orghttps://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4
openssl-security@openssl.orghttps://www.openssl.org/news/secadv/20240528.txt
Impacted products
Vendor Product Version
OpenSSL OpenSSL Version: 3.3.0   
Version: 3.2.0   
Version: 3.1.0   
Version: 3.0.0   
Version: 1.1.1   < 1.1.1y
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:openssl:openssl:-:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "openssl",
                  vendor: "openssl",
                  versions: [
                     {
                        lessThan: "1.1.1y",
                        status: "affected",
                        version: "1.1.1",
                        versionType: "semver",
                     },
                     {
                        lessThan: "3.0.14",
                        status: "affected",
                        version: "3.0.0",
                        versionType: "semver",
                     },
                     {
                        lessThan: "3.1.6",
                        status: "affected",
                        version: "3.1.0",
                        versionType: "semver",
                     },
                     {
                        lessThan: "3.2.2",
                        status: "affected",
                        version: "3.2.0",
                        versionType: "semver",
                     },
                     {
                        lessThan: "3.3.1",
                        status: "affected",
                        version: "3.3.0",
                        versionType: "semver",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "HIGH",
                     baseScore: 7.5,
                     baseSeverity: "HIGH",
                     confidentialityImpact: "NONE",
                     integrityImpact: "NONE",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2024-4741",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-13T14:45:07.092438Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-13T14:49:05.977Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "OpenSSL",
               vendor: "OpenSSL",
               versions: [
                  {
                     lessThan: "3.3.1",
                     status: "affected",
                     version: "3.3.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.2.2",
                     status: "affected",
                     version: "3.2.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.1.6",
                     status: "affected",
                     version: "3.1.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.0.14",
                     status: "affected",
                     version: "3.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "1.1.1y",
                     status: "affected",
                     version: "1.1.1",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "William Ahern (Akamai)",
            },
            {
               lang: "en",
               type: "remediation developer",
               value: "Matt Caswell",
            },
            {
               lang: "en",
               type: "remediation developer",
               value: "Watson Ladd (Akamai)",
            },
         ],
         datePublic: "2024-05-27T23:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause<br>memory to be accessed that was previously freed in some situations<br><br>Impact summary: A use after free can have a range of potential consequences such<br>as the corruption of valid data, crashes or execution of arbitrary code.<br>However, only applications that directly call the SSL_free_buffers function are<br>affected by this issue. Applications that do not call this function are not<br>vulnerable. Our investigations indicate that this function is rarely used by<br>applications.<br><br>The SSL_free_buffers function is used to free the internal OpenSSL buffer used<br>when processing an incoming record from the network. The call is only expected<br>to succeed if the buffer is not currently in use. However, two scenarios have<br>been identified where the buffer is freed even when still in use.<br><br>The first scenario occurs where a record header has been received from the<br>network and processed by OpenSSL, but the full record body has not yet arrived.<br>In this case calling SSL_free_buffers will succeed even though a record has only<br>been partially processed and the buffer is still in use.<br><br>The second scenario occurs where a full record containing application data has<br>been received and processed by OpenSSL but the application has only read part of<br>this data. Again a call to SSL_free_buffers will succeed even though the buffer<br>is still in use.<br><br>While these scenarios could occur accidentally during normal operation a<br>malicious attacker could attempt to engineer a stituation where this occurs.<br>We are not aware of this issue being actively exploited.<br><br>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
                  },
               ],
               value: "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
            },
         ],
         metrics: [
            {
               format: "other",
               other: {
                  content: {
                     text: "Low",
                  },
                  type: "https://www.openssl.org/policies/secpolicy.html",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-416",
                     description: "CWE-416 Use After Free",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-13T10:20:50.711Z",
            orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
            shortName: "openssl",
         },
         references: [
            {
               name: "OpenSSL Advisory",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://www.openssl.org/news/secadv/20240528.txt",
            },
            {
               name: "3.3.1 git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8",
            },
            {
               name: "3.2.2 git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac",
            },
            {
               name: "3.1.6 git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177",
            },
            {
               name: "3.0.14 git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d",
            },
            {
               name: "1.1.1y git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Use After Free with SSL_free_buffers",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
      assignerShortName: "openssl",
      cveId: "CVE-2024-4741",
      datePublished: "2024-11-13T10:20:50.711Z",
      dateReserved: "2024-05-10T09:56:11.310Z",
      dateUpdated: "2024-11-13T14:49:05.977Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         descriptions: "[{\"lang\": \"en\", \"value\": \"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\\nmemory to be accessed that was previously freed in some situations\\n\\nImpact summary: A use after free can have a range of potential consequences such\\nas the corruption of valid data, crashes or execution of arbitrary code.\\nHowever, only applications that directly call the SSL_free_buffers function are\\naffected by this issue. Applications that do not call this function are not\\nvulnerable. Our investigations indicate that this function is rarely used by\\napplications.\\n\\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\\nwhen processing an incoming record from the network. The call is only expected\\nto succeed if the buffer is not currently in use. However, two scenarios have\\nbeen identified where the buffer is freed even when still in use.\\n\\nThe first scenario occurs where a record header has been received from the\\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\\nIn this case calling SSL_free_buffers will succeed even though a record has only\\nbeen partially processed and the buffer is still in use.\\n\\nThe second scenario occurs where a full record containing application data has\\nbeen received and processed by OpenSSL but the application has only read part of\\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\\nis still in use.\\n\\nWhile these scenarios could occur accidentally during normal operation a\\nmalicious attacker could attempt to engineer a stituation where this occurs.\\nWe are not aware of this issue being actively exploited.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\"}, {\"lang\": \"es\", \"value\": \"Resumen del problema: Llamar a la funci\\u00f3n de API de OpenSSL SSL_free_buffers puede provocar que se acceda a la memoria que se liber\\u00f3 previamente en algunas situaciones Resumen del impacto: Un use after free puede tener una variedad de posibles consecuencias, como la corrupci\\u00f3n de datos v\\u00e1lidos, fallas o ejecuci\\u00f3n de c\\u00f3digo arbitrario. Sin embargo, solo las aplicaciones que llaman directamente a la funci\\u00f3n SSL_free_buffers se ven afectadas por este problema. Las aplicaciones que no llaman a esta funci\\u00f3n no son vulnerables. Nuestras investigaciones indican que las aplicaciones rara vez usan esta funci\\u00f3n. La funci\\u00f3n SSL_free_buffers se usa para liberar el b\\u00fafer interno de OpenSSL que se usa al procesar un registro entrante de la red. Solo se espera que la llamada tenga \\u00e9xito si el b\\u00fafer no est\\u00e1 actualmente en uso. Sin embargo, se han identificado dos escenarios en los que el b\\u00fafer se libera incluso cuando todav\\u00eda est\\u00e1 en uso. El primer escenario ocurre cuando se recibi\\u00f3 un encabezado de registro de la red y OpenSSL lo proces\\u00f3, pero a\\u00fan no lleg\\u00f3 el cuerpo completo del registro. En este caso, llamar a SSL_free_buffers tendr\\u00e1 \\u00e9xito incluso si un registro solo se proces\\u00f3 parcialmente y el b\\u00fafer todav\\u00eda est\\u00e1 en uso. El segundo escenario ocurre cuando OpenSSL ha recibido y procesado un registro completo que contiene datos de la aplicaci\\u00f3n, pero la aplicaci\\u00f3n solo ha le\\u00eddo parte de estos datos. Nuevamente, una llamada a SSL_free_buffers tendr\\u00e1 \\u00e9xito aunque el b\\u00fafer a\\u00fan est\\u00e9 en uso. Si bien estos escenarios podr\\u00edan ocurrir accidentalmente durante el funcionamiento normal, un atacante malintencionado podr\\u00eda intentar crear una situaci\\u00f3n en la que esto ocurra. No tenemos conocimiento de que este problema se est\\u00e9 explotando activamente. Los m\\u00f3dulos FIPS en 3.3, 3.2, 3.1 y 3.0 no se ven afectados por este problema.\"}]",
         id: "CVE-2024-4741",
         lastModified: "2024-11-13T17:01:16.850",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
         published: "2024-11-13T11:15:04.480",
         references: "[{\"url\": \"https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.openssl.org/news/secadv/20240528.txt\", \"source\": \"openssl-security@openssl.org\"}]",
         sourceIdentifier: "openssl-security@openssl.org",
         vulnStatus: "Awaiting Analysis",
         weaknesses: "[{\"source\": \"openssl-security@openssl.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-4741\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2024-11-13T11:15:04.480\",\"lastModified\":\"2024-11-13T17:01:16.850\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\\nmemory to be accessed that was previously freed in some situations\\n\\nImpact summary: A use after free can have a range of potential consequences such\\nas the corruption of valid data, crashes or execution of arbitrary code.\\nHowever, only applications that directly call the SSL_free_buffers function are\\naffected by this issue. Applications that do not call this function are not\\nvulnerable. Our investigations indicate that this function is rarely used by\\napplications.\\n\\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\\nwhen processing an incoming record from the network. The call is only expected\\nto succeed if the buffer is not currently in use. However, two scenarios have\\nbeen identified where the buffer is freed even when still in use.\\n\\nThe first scenario occurs where a record header has been received from the\\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\\nIn this case calling SSL_free_buffers will succeed even though a record has only\\nbeen partially processed and the buffer is still in use.\\n\\nThe second scenario occurs where a full record containing application data has\\nbeen received and processed by OpenSSL but the application has only read part of\\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\\nis still in use.\\n\\nWhile these scenarios could occur accidentally during normal operation a\\nmalicious attacker could attempt to engineer a stituation where this occurs.\\nWe are not aware of this issue being actively exploited.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\"},{\"lang\":\"es\",\"value\":\"Resumen del problema: Llamar a la función de API de OpenSSL SSL_free_buffers puede provocar que se acceda a la memoria que se liberó previamente en algunas situaciones Resumen del impacto: Un use after free puede tener una variedad de posibles consecuencias, como la corrupción de datos válidos, fallas o ejecución de código arbitrario. Sin embargo, solo las aplicaciones que llaman directamente a la función SSL_free_buffers se ven afectadas por este problema. Las aplicaciones que no llaman a esta función no son vulnerables. Nuestras investigaciones indican que las aplicaciones rara vez usan esta función. La función SSL_free_buffers se usa para liberar el búfer interno de OpenSSL que se usa al procesar un registro entrante de la red. Solo se espera que la llamada tenga éxito si el búfer no está actualmente en uso. Sin embargo, se han identificado dos escenarios en los que el búfer se libera incluso cuando todavía está en uso. El primer escenario ocurre cuando se recibió un encabezado de registro de la red y OpenSSL lo procesó, pero aún no llegó el cuerpo completo del registro. En este caso, llamar a SSL_free_buffers tendrá éxito incluso si un registro solo se procesó parcialmente y el búfer todavía está en uso. El segundo escenario ocurre cuando OpenSSL ha recibido y procesado un registro completo que contiene datos de la aplicación, pero la aplicación solo ha leído parte de estos datos. Nuevamente, una llamada a SSL_free_buffers tendrá éxito aunque el búfer aún esté en uso. Si bien estos escenarios podrían ocurrir accidentalmente durante el funcionamiento normal, un atacante malintencionado podría intentar crear una situación en la que esto ocurra. No tenemos conocimiento de que este problema se esté explotando activamente. Los módulos FIPS en 3.3, 3.2, 3.1 y 3.0 no se ven afectados por este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"openssl-security@openssl.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"references\":[{\"url\":\"https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.openssl.org/news/secadv/20240528.txt\",\"source\":\"openssl-security@openssl.org\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-4741\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-13T14:45:07.092438Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:openssl:openssl:-:*:*:*:*:*:*:*\"], \"vendor\": \"openssl\", \"product\": \"openssl\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.1.1\", \"lessThan\": \"1.1.1y\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.14\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.2.0\", \"lessThan\": \"3.2.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.3.0\", \"lessThan\": \"3.3.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-13T14:48:43.735Z\"}}], \"cna\": {\"title\": \"Use After Free with SSL_free_buffers\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"William Ahern (Akamai)\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Matt Caswell\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Watson Ladd (Akamai)\"}], \"metrics\": [{\"other\": {\"type\": \"https://www.openssl.org/policies/secpolicy.html\", \"content\": {\"text\": \"Low\"}}, \"format\": \"other\"}], \"affected\": [{\"vendor\": \"OpenSSL\", \"product\": \"OpenSSL\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.3.0\", \"lessThan\": \"3.3.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.2.0\", \"lessThan\": \"3.2.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.14\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.1.1\", \"lessThan\": \"1.1.1y\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-05-27T23:00:00.000Z\", \"references\": [{\"url\": \"https://www.openssl.org/news/secadv/20240528.txt\", \"name\": \"OpenSSL Advisory\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8\", \"name\": \"3.3.1 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac\", \"name\": \"3.2.2 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177\", \"name\": \"3.1.6 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d\", \"name\": \"3.0.14 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4\", \"name\": \"1.1.1y git commit\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\\nmemory to be accessed that was previously freed in some situations\\n\\nImpact summary: A use after free can have a range of potential consequences such\\nas the corruption of valid data, crashes or execution of arbitrary code.\\nHowever, only applications that directly call the SSL_free_buffers function are\\naffected by this issue. Applications that do not call this function are not\\nvulnerable. Our investigations indicate that this function is rarely used by\\napplications.\\n\\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\\nwhen processing an incoming record from the network. The call is only expected\\nto succeed if the buffer is not currently in use. However, two scenarios have\\nbeen identified where the buffer is freed even when still in use.\\n\\nThe first scenario occurs where a record header has been received from the\\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\\nIn this case calling SSL_free_buffers will succeed even though a record has only\\nbeen partially processed and the buffer is still in use.\\n\\nThe second scenario occurs where a full record containing application data has\\nbeen received and processed by OpenSSL but the application has only read part of\\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\\nis still in use.\\n\\nWhile these scenarios could occur accidentally during normal operation a\\nmalicious attacker could attempt to engineer a stituation where this occurs.\\nWe are not aware of this issue being actively exploited.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause<br>memory to be accessed that was previously freed in some situations<br><br>Impact summary: A use after free can have a range of potential consequences such<br>as the corruption of valid data, crashes or execution of arbitrary code.<br>However, only applications that directly call the SSL_free_buffers function are<br>affected by this issue. Applications that do not call this function are not<br>vulnerable. Our investigations indicate that this function is rarely used by<br>applications.<br><br>The SSL_free_buffers function is used to free the internal OpenSSL buffer used<br>when processing an incoming record from the network. The call is only expected<br>to succeed if the buffer is not currently in use. However, two scenarios have<br>been identified where the buffer is freed even when still in use.<br><br>The first scenario occurs where a record header has been received from the<br>network and processed by OpenSSL, but the full record body has not yet arrived.<br>In this case calling SSL_free_buffers will succeed even though a record has only<br>been partially processed and the buffer is still in use.<br><br>The second scenario occurs where a full record containing application data has<br>been received and processed by OpenSSL but the application has only read part of<br>this data. Again a call to SSL_free_buffers will succeed even though the buffer<br>is still in use.<br><br>While these scenarios could occur accidentally during normal operation a<br>malicious attacker could attempt to engineer a stituation where this occurs.<br>We are not aware of this issue being actively exploited.<br><br>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"shortName\": \"openssl\", \"dateUpdated\": \"2024-11-13T10:20:50.711Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-4741\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-13T14:49:05.977Z\", \"dateReserved\": \"2024-05-10T09:56:11.310Z\", \"assignerOrgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"datePublished\": \"2024-11-13T10:20:50.711Z\", \"assignerShortName\": \"openssl\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.