usn-7264-1
Vulnerability from osv_ubuntu
Published
2025-02-11 16:09
Modified
2025-02-11 16:09
Summary
openssl vulnerabilities
Details

It was discovered that OpenSSL clients incorrectly handled authenticating servers using RFC7250 Raw Public Keys. In certain cases, the connection will not abort as expected, possibly causing the communication to be intercepted. (CVE-2024-12797)

George Pantelakis and Alicja Kario discovered that OpenSSL had a timing side-channel when performing ECDSA signature computations. A remote attacker could possibly use this issue to recover private data. (CVE-2024-13176)

It was discovered that OpenSSL incorrectly handled certain memory operations when using low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial. When being used in this uncommon fashion, a remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2024-9143)


{
  "affected": [
    {
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "libssl-dev",
            "binary_version": "3.3.1-2ubuntu2.1"
          },
          {
            "binary_name": "libssl-doc",
            "binary_version": "3.3.1-2ubuntu2.1"
          },
          {
            "binary_name": "libssl3t64",
            "binary_version": "3.3.1-2ubuntu2.1"
          },
          {
            "binary_name": "libssl3t64-dbgsym",
            "binary_version": "3.3.1-2ubuntu2.1"
          },
          {
            "binary_name": "openssl",
            "binary_version": "3.3.1-2ubuntu2.1"
          },
          {
            "binary_name": "openssl-dbgsym",
            "binary_version": "3.3.1-2ubuntu2.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:24.10",
        "name": "openssl",
        "purl": "pkg:deb/ubuntu/openssl@3.3.1-2ubuntu2.1?arch=source\u0026distro=oracular"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.1-2ubuntu2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.13-0ubuntu3",
        "3.0.13-0ubuntu4",
        "3.2.1-3ubuntu1",
        "3.2.2-1ubuntu1",
        "3.2.2-1ubuntu3",
        "3.3.1-2ubuntu1",
        "3.3.1-2ubuntu2"
      ]
    }
  ],
  "aliases": [],
  "details": "It was discovered that OpenSSL clients incorrectly handled authenticating\nservers using RFC7250 Raw Public Keys. In certain cases, the connection\nwill not abort as expected, possibly causing the communication to be\nintercepted. (CVE-2024-12797)\n\nGeorge Pantelakis and Alicja Kario discovered that OpenSSL had a timing\nside-channel when performing ECDSA signature computations. A remote\nattacker could possibly use this issue to recover private data.\n(CVE-2024-13176)\n\nIt was discovered that OpenSSL incorrectly handled certain memory\noperations when using low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial. When being used in this uncommon\nfashion, a remote attacker could use this issue to cause OpenSSL to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2024-9143)\n",
  "id": "USN-7264-1",
  "modified": "2025-02-11T16:09:22.533371Z",
  "published": "2025-02-11T16:09:22.533371Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-7264-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-9143"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-12797"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-13176"
    }
  ],
  "related": [
    "CVE-2024-9143",
    "UBUNTU-CVE-2024-9143",
    "CVE-2024-12797",
    "UBUNTU-CVE-2024-12797",
    "CVE-2024-13176",
    "UBUNTU-CVE-2024-13176"
  ],
  "schema_version": "1.6.3",
  "summary": "openssl vulnerabilities"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…