csaf_certbund - wid-sec-w-2024-3230

wid-sec-w-2024-3230

Vulnerability from csaf_certbund

Published

2024-10-16 22:00

Modified

2025-01-06 23:00

Summary

OpenSSL: Schwachstelle ermöglicht Denial of Service und Remote-Code-Ausführung

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

OpenSSL ist eine im Quelltext frei verfügbare Bibliothek, die Secure Sockets Layer (SSL) und Transport Layer Security (TLS) implementiert.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um einen Denial of Service Angriff durchzuführen oder um beliebigen Code auszuführen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "mittel",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "OpenSSL ist eine im Quelltext frei verfügbare Bibliothek, die Secure Sockets Layer (SSL) und Transport Layer Security (TLS) implementiert.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um einen Denial of Service Angriff durchzuführen oder um beliebigen Code auszuführen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux\n- Sonstiges\n- UNIX\n- Windows",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2024-3230 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3230.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2024-3230 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3230",
         },
         {
            category: "external",
            summary: "OpenSSL Security Advisory vom 2024-10-16",
            url: "https://openssl-library.org/news/secadv/20241016.txt",
         },
         {
            category: "external",
            summary: "OSS Security Mailing List vom 2024-10-16",
            url: "https://seclists.org/oss-sec/2024/q4/33",
         },
         {
            category: "external",
            summary: "openSUSE Security Update OPENSUSE-SU-2024:14416-1 vom 2024-10-21",
            url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZAEWAWTQ662APXDOVFSO6WSPPJ73EELU/",
         },
         {
            category: "external",
            summary: "openSUSE Security Update OPENSUSE-SU-2024:14416-1 vom 2024-10-21",
            url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZAEWAWTQ662APXDOVFSO6WSPPJ73EELU/",
         },
         {
            category: "external",
            summary: "Debian Security Advisory DLA-3942 vom 2024-10-31",
            url: "https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 7178390 vom 2024-12-10",
            url: "https://www.ibm.com/support/pages/node/7178390",
         },
         {
            category: "external",
            summary: "Amazon Linux Security Advisory ALAS-2024-2722 vom 2024-12-20",
            url: "https://alas.aws.amazon.com/AL2/ALAS-2024-2722.html",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 7180215 vom 2025-01-03",
            url: "https://www.ibm.com/support/pages/node/7180215",
         },
         {
            category: "external",
            summary: "Alpine Annonuce vom 2025-01-06",
            url: "https://lists.alpinelinux.org/~alpine/announce/%3C20250106205852.020f34cd%40ncopa-desktop%3E",
         },
      ],
      source_lang: "en-US",
      title: "OpenSSL: Schwachstelle ermöglicht Denial of Service und Remote-Code-Ausführung",
      tracking: {
         current_release_date: "2025-01-06T23:00:00.000+00:00",
         generator: {
            date: "2025-01-07T12:12:25.970+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.10",
            },
         },
         id: "WID-SEC-W-2024-3230",
         initial_release_date: "2024-10-16T22:00:00.000+00:00",
         revision_history: [
            {
               date: "2024-10-16T22:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2024-10-21T22:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates von openSUSE aufgenommen",
            },
            {
               date: "2024-10-23T22:00:00.000+00:00",
               number: "3",
               summary: "Anpassung der Bewertung",
            },
            {
               date: "2024-10-30T23:00:00.000+00:00",
               number: "4",
               summary: "Neue Updates von Debian aufgenommen",
            },
            {
               date: "2024-12-10T23:00:00.000+00:00",
               number: "5",
               summary: "Neue Updates von IBM und IBM-APAR aufgenommen",
            },
            {
               date: "2024-12-19T23:00:00.000+00:00",
               number: "6",
               summary: "Neue Updates von Amazon aufgenommen",
            },
            {
               date: "2025-01-05T23:00:00.000+00:00",
               number: "7",
               summary: "Neue Updates von IBM aufgenommen",
            },
            {
               date: "2025-01-06T23:00:00.000+00:00",
               number: "8",
               summary: "Neue Updates aufgenommen",
            },
         ],
         status: "final",
         version: "8",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_name",
                  name: "Amazon Linux 2",
                  product: {
                     name: "Amazon Linux 2",
                     product_id: "398363",
                     product_identification_helper: {
                        cpe: "cpe:/o:amazon:linux_2:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Amazon",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "Debian Linux",
                  product: {
                     name: "Debian Linux",
                     product_id: "2951",
                     product_identification_helper: {
                        cpe: "cpe:/o:debian:debian_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Debian",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<13.0.2.0",
                        product: {
                           name: "IBM App Connect Enterprise <13.0.2.0",
                           product_id: "T039657",
                        },
                     },
                     {
                        category: "product_version",
                        name: "13.0.2.0",
                        product: {
                           name: "IBM App Connect Enterprise 13.0.2.0",
                           product_id: "T039657-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:app_connect_enterprise:13.0.2.0",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<12.0.12.9",
                        product: {
                           name: "IBM App Connect Enterprise <12.0.12.9",
                           product_id: "T039658",
                        },
                     },
                     {
                        category: "product_version",
                        name: "12.0.12.9",
                        product: {
                           name: "IBM App Connect Enterprise 12.0.12.9",
                           product_id: "T039658-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:app_connect_enterprise:12.0.12.9",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "App Connect Enterprise",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "6.3.0",
                        product: {
                           name: "IBM Sterling Connect:Direct 6.3.0",
                           product_id: "T040001",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:sterling_connect%3adirect:6.3.0",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "6.4.0",
                        product: {
                           name: "IBM Sterling Connect:Direct 6.4.0",
                           product_id: "T040002",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:sterling_connect%3adirect:6.4.0",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Sterling Connect:Direct",
               },
            ],
            category: "vendor",
            name: "IBM",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<3.18.10",
                        product: {
                           name: "Open Source Alpine Linux <3.18.10",
                           product_id: "T040035",
                        },
                     },
                     {
                        category: "product_version",
                        name: "3.18.10",
                        product: {
                           name: "Open Source Alpine Linux 3.18.10",
                           product_id: "T040035-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:alpinelinux:alpine_linux:3.18.10",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<3.19.5",
                        product: {
                           name: "Open Source Alpine Linux <3.19.5",
                           product_id: "T040036",
                        },
                     },
                     {
                        category: "product_version",
                        name: "3.19.5",
                        product: {
                           name: "Open Source Alpine Linux 3.19.5",
                           product_id: "T040036-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:alpinelinux:alpine_linux:3.19.5",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<3.20.4",
                        product: {
                           name: "Open Source Alpine Linux <3.20.4",
                           product_id: "T040037",
                        },
                     },
                     {
                        category: "product_version",
                        name: "3.20.4",
                        product: {
                           name: "Open Source Alpine Linux 3.20.4",
                           product_id: "T040037-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:alpinelinux:alpine_linux:3.20.4",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Alpine Linux",
               },
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<3.3.3",
                        product: {
                           name: "Open Source OpenSSL <3.3.3",
                           product_id: "T038469",
                        },
                     },
                     {
                        category: "product_version",
                        name: "3.3.3",
                        product: {
                           name: "Open Source OpenSSL 3.3.3",
                           product_id: "T038469-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:openssl:openssl:3.3.3",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<3.2.4",
                        product: {
                           name: "Open Source OpenSSL <3.2.4",
                           product_id: "T038470",
                        },
                     },
                     {
                        category: "product_version",
                        name: "3.2.4",
                        product: {
                           name: "Open Source OpenSSL 3.2.4",
                           product_id: "T038470-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:openssl:openssl:3.2.4",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<3.1.8",
                        product: {
                           name: "Open Source OpenSSL <3.1.8",
                           product_id: "T038471",
                        },
                     },
                     {
                        category: "product_version",
                        name: "3.1.8",
                        product: {
                           name: "Open Source OpenSSL 3.1.8",
                           product_id: "T038471-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:openssl:openssl:3.1.8",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<3.0.16",
                        product: {
                           name: "Open Source OpenSSL <3.0.16",
                           product_id: "T038472",
                        },
                     },
                     {
                        category: "product_version",
                        name: "3.0.16",
                        product: {
                           name: "Open Source OpenSSL 3.0.16",
                           product_id: "T038472-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:openssl:openssl:3.0.16",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<1.1.1zb",
                        product: {
                           name: "Open Source OpenSSL <1.1.1zb",
                           product_id: "T038473",
                        },
                     },
                     {
                        category: "product_version",
                        name: "1.1.1zb",
                        product: {
                           name: "Open Source OpenSSL 1.1.1zb",
                           product_id: "T038473-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:openssl:openssl:1.1.1zb",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<1.0.2zl",
                        product: {
                           name: "Open Source OpenSSL <1.0.2zl",
                           product_id: "T038474",
                        },
                     },
                     {
                        category: "product_version",
                        name: "1.0.2zl",
                        product: {
                           name: "Open Source OpenSSL 1.0.2zl",
                           product_id: "T038474-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:openssl:openssl:1.0.2zl",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "OpenSSL",
               },
            ],
            category: "vendor",
            name: "Open Source",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "SUSE openSUSE",
                  product: {
                     name: "SUSE openSUSE",
                     product_id: "T027843",
                     product_identification_helper: {
                        cpe: "cpe:/o:suse:opensuse:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2024-9143",
         notes: [
            {
               category: "description",
               text: "Es besteht eine Schwachstelle in OpenSSL. Dieser Fehler existiert wegen unsachgemäßer Handhabung von Low-Level GF(2^m) elliptischen Kurven APIs, was das Lesen oder Schreiben von Out-of-Bounds Speicher erlaubt. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er nicht vertrauenswürdige explizite Werte für das Feldpolynom bereitstellt, was zu einem Absturz der Anwendung, einer Beschädigung des Speichers oder einer entfernten Codeausführung führen kann.",
            },
         ],
         product_status: {
            known_affected: [
               "T039658",
               "T038469",
               "T039657",
               "T038474",
               "T038470",
               "T038471",
               "T038472",
               "T038473",
               "2951",
               "T027843",
               "398363",
               "T040037",
               "T040036",
               "T040002",
               "T040035",
               "T040001",
            ],
         },
         release_date: "2024-10-16T22:00:00.000+00:00",
         title: "CVE-2024-9143",
      },
   ],
}

cve-2024-9143

Vulnerability from cvelistv5

Published

2024-10-16 17:09

Modified

2024-11-08 15:30

Severity ?

Summary

Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low. In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

References

▼	URL	Tags
	https://openssl-library.org/news/secadv/20241016.txt	vendor-advisory
	https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4	patch
	https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700	patch
	https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154	patch
	https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712	patch
	https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a	patch
	https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41	patch

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Version: 3.3.0 ≤ Version: 3.2.0 ≤ Version: 3.1.0 ≤ Version: 3.0.0 ≤ Version: 1.1.1 < 1.1.1zb Version: 1.0.2 < 1.0.2zl

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "NONE",
                     baseScore: 4.3,
                     baseSeverity: "MEDIUM",
                     confidentialityImpact: "NONE",
                     integrityImpact: "LOW",
                     privilegesRequired: "LOW",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2024-9143",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-16T19:45:11.544020Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-08T15:30:04.030Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-11-01T17:03:16.065Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  url: "http://www.openwall.com/lists/oss-security/2024/10/16/1",
               },
               {
                  url: "http://www.openwall.com/lists/oss-security/2024/10/23/1",
               },
               {
                  url: "http://www.openwall.com/lists/oss-security/2024/10/24/1",
               },
               {
                  url: "https://security.netapp.com/advisory/ntap-20241101-0001/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "OpenSSL",
               vendor: "OpenSSL",
               versions: [
                  {
                     lessThan: "3.3.3",
                     status: "affected",
                     version: "3.3.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.2.4",
                     status: "affected",
                     version: "3.2.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.1.8",
                     status: "affected",
                     version: "3.1.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.0.16",
                     status: "affected",
                     version: "3.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "1.1.1zb",
                     status: "affected",
                     version: "1.1.1",
                     versionType: "custom",
                  },
                  {
                     lessThan: "1.0.2zl",
                     status: "affected",
                     version: "1.0.2",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "Google OSS-Fuzz-Gen",
            },
            {
               lang: "en",
               type: "remediation developer",
               value: "Viktor Dukhovni",
            },
         ],
         datePublic: "2024-10-16T14:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted<br>explicit values for the field polynomial can lead to out-of-bounds memory reads<br>or writes.<br><br>Impact summary: Out of bound memory writes can lead to an application crash or<br>even a possibility of a remote code execution, however, in all the protocols<br>involving Elliptic Curve Cryptography that we're aware of, either only \"named<br>curves\" are supported, or, if explicit curve parameters are supported, they<br>specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent<br>problematic input values. Thus the likelihood of existence of a vulnerable<br>application is low.<br><br>In particular, the X9.62 encoding is used for ECC keys in X.509 certificates,<br>so problematic inputs cannot occur in the context of processing X.509<br>certificates.  Any problematic use-cases would have to be using an \"exotic\"<br>curve encoding.<br><br>The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),<br>and various supporting BN_GF2m_*() functions.<br><br>Applications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,<br>that make it possible to represent invalid field polynomials with a zero<br>constant term, via the above or similar APIs, may terminate abruptly as a<br>result of reading or writing outside of array bounds.  Remote code execution<br>cannot easily be ruled out.<br><br>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
                  },
               ],
               value: "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates.  Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds.  Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
            },
         ],
         metrics: [
            {
               format: "other",
               other: {
                  content: {
                     text: "Low",
                  },
                  type: "https://openssl-library.org/policies/general/security-policy/",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-787",
                     description: "CWE-787 Out-of-bounds Write",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-10-16T17:09:23.844Z",
            orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
            shortName: "openssl",
         },
         references: [
            {
               name: "OpenSSL Advisory",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://openssl-library.org/news/secadv/20241016.txt",
            },
            {
               name: "3.3.3 git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4",
            },
            {
               name: "3.2.4 git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700",
            },
            {
               name: "3.1.8 git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154",
            },
            {
               name: "3.0.16 git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712",
            },
            {
               name: "1.1.1zb git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a",
            },
            {
               name: "1.0.2zl git commit",
               tags: [
                  "patch",
               ],
               url: "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Low-level invalid GF(2^m) parameters lead to OOB memory access",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
      assignerShortName: "openssl",
      cveId: "CVE-2024-9143",
      datePublished: "2024-10-16T17:09:23.844Z",
      dateReserved: "2024-09-24T08:37:04.834Z",
      dateUpdated: "2024-11-08T15:30:04.030Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted