close
close

OpenSSL: A vulnerability could allow a denial of service

An IT security alert has been issued to replace an identified vulnerability for OpenSSL. Here you will find an overview of the security breach, along with the latest updates and details about the affected work programs and merchandise.

Federal workplace for Security in Information Technology (BSI) unveiled a replacement on June 11, 2024 related to the OpenSSL security issue identified on April 8, 2024. Operating systems Linux, MacOS

The latest vendor suggestions for updates, fixes, and security patches for this vulnerability can be found here: Amazon Linux Security Advisory ALAS-2024-2564 (As of June 12, 2024). Some useful hyperlinks can be found later in this article.

OpenSSL Security Notice – Risk: Moderate

Risk level: 3 (fair)
CVSS base score: 7.5
Preliminary CVSS rating: 6.5
Ranged attack: Yes

The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of laptop programs. The CVSS standard makes it possible to match potential or precise safety hazards, mainly based on divergent standards, in order to prioritize countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to determine the severity of the vulnerability. The Basic Score evaluates the need for an attack (along with authentication, complexity, privileges, consumer interaction) and its outcomes. For a non-permanent impact, the test takes into account body situations that will change over time. According to CVSS, the danger posed by the vulnerability discussed here is rated as “internal” with a base rating of seven.5.

OpenSSL bug: a vulnerability allows a Denial of Service

OpenSSL is a freely available code library that implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

A distant, unknown attacker can exploit a vulnerability in OpenSSL to conduct a denial-of-service attack.

Vulnerabilities are recognized on the basis of a CVE ID (Common Vulnerabilities and Exposures). CVE-2024-2511 on the market.

Systems affected by the OpenSSL security vulnerability at a glance

Control programs
Linux, MacOS

Products
Amazon Linux 2 (cpe:/o:amazon:linux_2)
SUSE Linux (cpe:/o:use:suse_linux)
Open source Open source OpenSSL Open source OpenSSL Open source OpenSSL Phoenix Contact FL MGUARD 1102 Phoenix Contact FL MGUARD 1105

General suggestions for addressing IT security gaps

  1. Users of affected programs should stay informed. When security holes are identified, manufacturers must quickly fix them by creating a patch or fix. If any security patches are found, install them immediately.
  2. For details, see the sources listed in the next section. There is usually room here for additional details about the latest model of the software program in question and offering security patches or efficiency ideas.
  3. If you have any questions or concerns, please contact your responsible administrator. IT security managers usually need to verify the desired sources to see if a brand new security replacement is offered.

Manufacturer details on updates, patches and fixes

Here you will see some hyperlinks detailing bug studies, security fixes and workarounds.

Amazon Linux Security Advisory ALAS-2024-2564 dated 2024-06-12 (11.06.2024)
For additional information, see:

VDE-CERT Security Advice VDE-2024-029 from 2024-06-11 (10.06.2024)
For additional information, see:

SUSE security update SUSE-SU-2024:1949-1 dated 2024-06-07 (09.06.2024)
For additional information, see:

SUSE security update SUSE-SU-2024:1947-1 dated 2024-06-07 (09.06.2024)
For additional information, see:

SUSE security update SUSE-SU-2024:1808-1 dated 2024-05-29 (28.05.2024)
For additional information, see:

Amazon Linux Security Advisory ALAS-2024-2539 dated 2024-05-15 (15.05.2024)
For additional information, see:

SUSE security update SUSE-SU-2024:1633-1 dated 2024-05-14 (14.05.2024)
For additional information, see:

SUSE security update SUSE-SU-2024:1634-1 dated 2024-05-14 (14.05.2024)
For additional information, see:

Red Hat bug tracker as of 2024-04-08 (08.04.2024)
For additional information, see:

OpenSSL security advisory from 04/08/2024 (08.04.2024)
For additional information, see:

Historical past version of this security alert

This is model 7 of this OpenSSL IT security discovery. This document will be updated as additional updates are introduced. You can view adjustments or additions to this model’s historical past.

April 8, 2024 – First model
May 14, 2024 – New updates from SUSE added
May 15, 2024 – Added new updates from Amazon
May 28, 2024 – New updates from SUSE added
June 9, 2024 – New updates from SUSE added
June 10, 2024 – New VDE updates added
June 11, 2024 – Added new updates from Amazon

+++ Editor’s note: This document is based on current BSI knowledge and will be kept up to date via a data-driven method depending on the status of the alert. Suggestions and feedback are welcome at (email protected). +++

to observe News.de Maybe you are here Facebook, Tweet, Pinterest again YouTube? Here you see that exciting information, available videos and a direct line to the editorial group.

kns/roj/information.de