Bug 1222548 (CVE-2024-2511)

Summary: VUL-0: CVE-2024-2511: openssl-1_1,openssl-3:Unbounded memory growth with session handling in TLSv1.3
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Pedro Monreal Gonzalez <pmonrealgonzalez>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: camila.matos, meissner, pmonrealgonzalez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/400736/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-2511:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-09 11:18:46 UTC 
Issue summary: Some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger
unbounded memory growth that would lead to a Denial of Service

This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is
being used (but not if early_data support is also configured and the default
anti-replay protection is in use). In this case, under certain conditions, the
session cache can get into an incorrect state and it will fail to flush properly
as it fills. The session cache will continue to grow in an unbounded manner. A
malicious client could deliberately create the scenario for this failure to
force a Denial of Service. It may also happen by accident in normal operation.

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS
clients.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL
1.0.2 is also not affected by this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2511
https://seclists.org/oss-sec/2024/q2/44
https://www.cve.org/CVERecord?id=CVE-2024-2511
https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640
https://www.openssl.org/news/secadv/20240408.txt
https://bugzilla.redhat.com/show_bug.cgi?id=2274020
https://github.com/openssl/openssl/commit/4a3e8f08306c64366318e26162ae0a0eb7b1a006
https://github.com/openssl/openssl/commit/21df7f04f6c4a560b4de56d10e1e58958c7e566d
https://github.com/openssl/openssl/commit/03c4b0eab6dcbb59e3f58baad634be8fc798c103
https://github.com/openssl/openssl/commit/7984fa683e9dfac0cad50ef2a9d5a13330222044
https://github.com/openssl/openssl/commit/cfeaf33a26c53c526128df96db2d2ec105b43aec
https://github.com/openssl/openssl/commit/0447cd690f86ce52ff760d55d6064ea0d08656bf
Comment 4 Otto Hollmann 2024-05-07 12:49:38 UTC 
submitted
> Codestream              Package            Request
> --OpenSSL 3.x.x---------------------------------------------------------------------
> SUSE:SLE-15-SP6:GA      openssl-3          https://build.suse.de/request/show/329405
> SUSE:SLE-15-SP5:Update  openssl-3          https://build.suse.de/request/show/329408
> SUSE:SLE-15-SP4:Update  openssl-3          https://build.suse.de/request/show/329409
> SUSE:ALP:Source:Std:1.0 openssl-3          https://build.suse.de/request/show/329406
> openSUSE:Factory        openssl-3          https://build.opensuse.org/request/show/1172431
> --OpenSSL 1.1.x---------------------------------------------------------------------
> SUSE:SLE-15-SP6:GA      openssl-1_1        https://build.suse.de/request/show/329411
> SUSE:SLE-15-SP5:Update  openssl-1_1        https://build.suse.de/request/show/329412
> SUSE:SLE-15-SP4:Update  openssl-1_1        https://build.suse.de/request/show/329413
> SUSE:SLE-15-SP2:Update  openssl-1_1        https://build.suse.de/request/show/329414
> SUSE:SLE-15-SP1:Update  openssl-1_1        No TLSv1.3 support => not affected
> SUSE:SLE-12-SP4:Update  openssl-1_1        No TLSv1.3 support => not affected
> openSUSE:Factory        openssl-1_1        https://build.opensuse.org/request/show/1172432

Reassigning to security-team
Comment 5 Maintenance Automation 2024-05-14 12:30:08 UTC 
SUSE-SU-2024:1634-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1222548
CVE References: CVE-2024-2511
Maintenance Incident: [SUSE:Maintenance:33732](https://smelt.suse.de/incident/33732/)
Sources used:
Basesystem Module 15-SP5 (src):
 openssl-3-3.0.8-150500.5.30.1
openSUSE Leap 15.5 (src):
 openssl-3-3.0.8-150500.5.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2024-05-14 12:30:10 UTC 
SUSE-SU-2024:1633-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1222548
CVE References: CVE-2024-2511
Maintenance Incident: [SUSE:Maintenance:33740](https://smelt.suse.de/incident/33740/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Enterprise Storage 7.1 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Linux Enterprise Micro 5.1 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Linux Enterprise Micro 5.2 (src):
 openssl-1_1-1.1.1d-150200.11.88.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 openssl-1_1-1.1.1d-150200.11.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Otto Hollmann 2024-05-21 07:30:17 UTC 
Openssl-3 resubmitted with fix for bug 1224388 (CVE-2024-4603)

> Codestream              Package            Request
> --OpenSSL 3.x.x---------------------------------------------------------------------
> SUSE:SLE-15-SP6:GA      openssl-3          https://build.suse.de/request/show/331341
> SUSE:SLE-15-SP5:Update  openssl-3          https://build.suse.de/request/show/331343
> SUSE:SLE-15-SP4:Update  openssl-3          https://build.suse.de/request/show/331344
> SUSE:SLFO:Main          openssl-3          https://build.suse.de/request/show/331342
> openSUSE:Factory        openssl-3          https://build.opensuse.org/request/show/1175444

Reassigning to security-team
Comment 11 Maintenance Automation 2024-05-29 08:30:10 UTC 
SUSE-SU-2024:1808-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1222548
CVE References: CVE-2024-2511
Maintenance Incident: [SUSE:Maintenance:33738](https://smelt.suse.de/incident/33738/)
Sources used:
openSUSE Leap 15.5 (src):
 openssl-1_1-1.1.1l-150500.17.28.2
SUSE Linux Enterprise Micro 5.5 (src):
 openssl-1_1-1.1.1l-150500.17.28.2
Basesystem Module 15-SP5 (src):
 openssl-1_1-1.1.1l-150500.17.28.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-06-07 16:30:11 UTC 
SUSE-SU-2024:1949-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1222548
CVE References: CVE-2024-2511
Maintenance Incident: [SUSE:Maintenance:33739](https://smelt.suse.de/incident/33739/)
Sources used:
openSUSE Leap 15.4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
openSUSE Leap Micro 5.3 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
openSUSE Leap Micro 5.4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise Micro 5.3 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise Micro 5.4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Manager Proxy 4.3 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Manager Retail Branch Server 4.3 (src):
 openssl-1_1-1.1.1l-150400.7.66.2
SUSE Manager Server 4.3 (src):
 openssl-1_1-1.1.1l-150400.7.66.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-06-07 16:30:16 UTC 
SUSE-SU-2024:1947-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222548, 1224388
CVE References: CVE-2024-2511, CVE-2024-4603
Maintenance Incident: [SUSE:Maintenance:33737](https://smelt.suse.de/incident/33737/)
Sources used:
SUSE Manager Proxy 4.3 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Manager Retail Branch Server 4.3 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Manager Server 4.3 (src):
 openssl-3-3.0.8-150400.4.54.1
openSUSE Leap 15.4 (src):
 openssl-3-3.0.8-150400.4.54.1
openSUSE Leap Micro 5.3 (src):
 openssl-3-3.0.8-150400.4.54.1
openSUSE Leap Micro 5.4 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise Micro 5.3 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise Micro 5.4 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 openssl-3-3.0.8-150400.4.54.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 openssl-3-3.0.8-150400.4.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Otto Hollmann 2024-07-02 08:18:04 UTC 
Submitted to SLE, not yet to Factory
> Codestream              Package            Request
> --OpenSSL 3.x.x---------------------------------------------------------------------
> SUSE:SLE-15-SP6:Update  openssl-3          https://build.suse.de/request/show/333420
> SUSE:SLE-15-SP5:Update  openssl-3          https://build.suse.de/request/show/333422
> SUSE:SLE-15-SP4:Update  openssl-3          https://build.suse.de/request/show/335259
> SUSE:SLFO:Main          openssl-3          https://build.suse.de/request/show/333429
> SUSE:ALP:Std:Main       openssl-3          https://build.suse.de/request/show/333426
> --OpenSSL 1.1.x---------------------------------------------------------------------
> SUSE:SLE-15-SP6:Update  openssl-1_1        https://build.suse.de/request/show/335272
> SUSE:SLE-15-SP5:Update  openssl-1_1        https://build.suse.de/request/show/335273
> SUSE:SLE-15-SP4:Update  openssl-1_1        https://build.suse.de/request/show/335274
> SUSE:SLE-15-SP2:Update  openssl-1_1        https://build.suse.de/request/show/335275
> SUSE:SLE-12-SP4:Update  openssl-1_1        https://build.suse.de/request/show/335277
Comment 16 Pedro Monreal Gonzalez 2024-07-04 22:55:34 UTC 
Factory submissions:
  * openssl-3: https://build.opensuse.org/request/show/1172431
  * openssl-1_1:https://build.opensuse.org/request/show/1172432

All submitted, assigning back to security-team.