Strix
26.1K

CVE-2024-6119

HIGHCVSS 7.5/10EPSS 66.59%

Last modified

CVE-2024-6119 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. EPSS estimates a 66.59% chance of exploitation in the next 30 days.

Description

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
66.59%

99.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
OpensslOpenssl>= 3.0.0, < 3.0.15
OpensslOpenssl>= 3.1.0, < 3.1.7
OpensslOpenssl>= 3.2.0, < 3.2.3
OpensslOpenssl>= 3.3.0, < 3.3.2
NetappActive Iq Unified ManagerAll versions
NetappManagement Services For Element Software And Netapp HciAll versions
NetappOntap 9All versions
NetappOntap Select Deploy Administration UtilityAll versions
NetappOntap Tools9
NetappBrocade Fabric Operating SystemAll versions
NetappH300s FirmwareAll versions
NetappH500s FirmwareAll versions
NetappH700s FirmwareAll versions
NetappH410s FirmwareAll versions
NetappH410c FirmwareAll versions
NetappH610c FirmwareAll versions
NetappH610s FirmwareAll versions
NetappH615cAll versions
NetappBootstrap OsAll versions
NetappA250 FirmwareAll versions
Netapp500f FirmwareAll versions
NetappC250 FirmwareAll versions

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-6119?
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
How severe is CVE-2024-6119?
CVE-2024-6119 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 66.59% probability of exploitation in the next 30 days.
How do I fix CVE-2024-6119?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-6119?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST