Bugzilla – Bug 1222548
VUL-0: CVE-2024-2511: openssl-1_1,openssl-3:Unbounded memory growth with session handling in TLSv1.3
Last modified: 2024-08-01 11:59:12 UTC
Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2511 https://seclists.org/oss-sec/2024/q2/44 https://www.cve.org/CVERecord?id=CVE-2024-2511 https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640 https://www.openssl.org/news/secadv/20240408.txt https://bugzilla.redhat.com/show_bug.cgi?id=2274020 https://github.com/openssl/openssl/commit/4a3e8f08306c64366318e26162ae0a0eb7b1a006 https://github.com/openssl/openssl/commit/21df7f04f6c4a560b4de56d10e1e58958c7e566d https://github.com/openssl/openssl/commit/03c4b0eab6dcbb59e3f58baad634be8fc798c103 https://github.com/openssl/openssl/commit/7984fa683e9dfac0cad50ef2a9d5a13330222044 https://github.com/openssl/openssl/commit/cfeaf33a26c53c526128df96db2d2ec105b43aec https://github.com/openssl/openssl/commit/0447cd690f86ce52ff760d55d6064ea0d08656bf
submitted > Codestream Package Request > --OpenSSL 3.x.x--------------------------------------------------------------------- > SUSE:SLE-15-SP6:GA openssl-3 https://build.suse.de/request/show/329405 > SUSE:SLE-15-SP5:Update openssl-3 https://build.suse.de/request/show/329408 > SUSE:SLE-15-SP4:Update openssl-3 https://build.suse.de/request/show/329409 > SUSE:ALP:Source:Std:1.0 openssl-3 https://build.suse.de/request/show/329406 > openSUSE:Factory openssl-3 https://build.opensuse.org/request/show/1172431 > --OpenSSL 1.1.x--------------------------------------------------------------------- > SUSE:SLE-15-SP6:GA openssl-1_1 https://build.suse.de/request/show/329411 > SUSE:SLE-15-SP5:Update openssl-1_1 https://build.suse.de/request/show/329412 > SUSE:SLE-15-SP4:Update openssl-1_1 https://build.suse.de/request/show/329413 > SUSE:SLE-15-SP2:Update openssl-1_1 https://build.suse.de/request/show/329414 > SUSE:SLE-15-SP1:Update openssl-1_1 No TLSv1.3 support => not affected > SUSE:SLE-12-SP4:Update openssl-1_1 No TLSv1.3 support => not affected > openSUSE:Factory openssl-1_1 https://build.opensuse.org/request/show/1172432 Reassigning to security-team
SUSE-SU-2024:1634-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1222548 CVE References: CVE-2024-2511 Maintenance Incident: [SUSE:Maintenance:33732](https://smelt.suse.de/incident/33732/) Sources used: Basesystem Module 15-SP5 (src): openssl-3-3.0.8-150500.5.30.1 openSUSE Leap 15.5 (src): openssl-3-3.0.8-150500.5.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1633-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1222548 CVE References: CVE-2024-2511 Maintenance Incident: [SUSE:Maintenance:33740](https://smelt.suse.de/incident/33740/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Enterprise Storage 7.1 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.88.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): openssl-1_1-1.1.1d-150200.11.88.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Openssl-3 resubmitted with fix for bug 1224388 (CVE-2024-4603) > Codestream Package Request > --OpenSSL 3.x.x--------------------------------------------------------------------- > SUSE:SLE-15-SP6:GA openssl-3 https://build.suse.de/request/show/331341 > SUSE:SLE-15-SP5:Update openssl-3 https://build.suse.de/request/show/331343 > SUSE:SLE-15-SP4:Update openssl-3 https://build.suse.de/request/show/331344 > SUSE:SLFO:Main openssl-3 https://build.suse.de/request/show/331342 > openSUSE:Factory openssl-3 https://build.opensuse.org/request/show/1175444 Reassigning to security-team
SUSE-SU-2024:1808-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1222548 CVE References: CVE-2024-2511 Maintenance Incident: [SUSE:Maintenance:33738](https://smelt.suse.de/incident/33738/) Sources used: openSUSE Leap 15.5 (src): openssl-1_1-1.1.1l-150500.17.28.2 SUSE Linux Enterprise Micro 5.5 (src): openssl-1_1-1.1.1l-150500.17.28.2 Basesystem Module 15-SP5 (src): openssl-1_1-1.1.1l-150500.17.28.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1949-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1222548 CVE References: CVE-2024-2511 Maintenance Incident: [SUSE:Maintenance:33739](https://smelt.suse.de/incident/33739/) Sources used: openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.66.2 openSUSE Leap Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.66.2 openSUSE Leap Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Manager Proxy 4.3 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Manager Retail Branch Server 4.3 (src): openssl-1_1-1.1.1l-150400.7.66.2 SUSE Manager Server 4.3 (src): openssl-1_1-1.1.1l-150400.7.66.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1947-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222548, 1224388 CVE References: CVE-2024-2511, CVE-2024-4603 Maintenance Incident: [SUSE:Maintenance:33737](https://smelt.suse.de/incident/33737/) Sources used: SUSE Manager Proxy 4.3 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Manager Retail Branch Server 4.3 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Manager Server 4.3 (src): openssl-3-3.0.8-150400.4.54.1 openSUSE Leap 15.4 (src): openssl-3-3.0.8-150400.4.54.1 openSUSE Leap Micro 5.3 (src): openssl-3-3.0.8-150400.4.54.1 openSUSE Leap Micro 5.4 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise Micro 5.3 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise Micro 5.4 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): openssl-3-3.0.8-150400.4.54.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): openssl-3-3.0.8-150400.4.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submitted to SLE, not yet to Factory > Codestream Package Request > --OpenSSL 3.x.x--------------------------------------------------------------------- > SUSE:SLE-15-SP6:Update openssl-3 https://build.suse.de/request/show/333420 > SUSE:SLE-15-SP5:Update openssl-3 https://build.suse.de/request/show/333422 > SUSE:SLE-15-SP4:Update openssl-3 https://build.suse.de/request/show/335259 > SUSE:SLFO:Main openssl-3 https://build.suse.de/request/show/333429 > SUSE:ALP:Std:Main openssl-3 https://build.suse.de/request/show/333426 > --OpenSSL 1.1.x--------------------------------------------------------------------- > SUSE:SLE-15-SP6:Update openssl-1_1 https://build.suse.de/request/show/335272 > SUSE:SLE-15-SP5:Update openssl-1_1 https://build.suse.de/request/show/335273 > SUSE:SLE-15-SP4:Update openssl-1_1 https://build.suse.de/request/show/335274 > SUSE:SLE-15-SP2:Update openssl-1_1 https://build.suse.de/request/show/335275 > SUSE:SLE-12-SP4:Update openssl-1_1 https://build.suse.de/request/show/335277
Factory submissions: * openssl-3: https://build.opensuse.org/request/show/1172431 * openssl-1_1:https://build.opensuse.org/request/show/1172432 All submitted, assigning back to security-team.