CWE
476 20
EPSS
0.228%
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2024-0727: PKCS12 Decoding crashes

First published: Tue Jan 23 2024(Updated: )

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Credit: openssl-security@openssl.org openssl-security@openssl.org

Affected SoftwareAffected VersionHow to fix
IBM Planning Analytics Local - IBM Planning Analytics Workspace<=2.1
IBM Planning Analytics Local - IBM Planning Analytics Workspace<=2.0
OpenSSL OpenSSL>=1.0.2<1.0.2zj
OpenSSL OpenSSL>=1.1.1<1.1.1x
OpenSSL OpenSSL>=3.0.0<3.0.13
OpenSSL OpenSSL>=3.1.0<3.1.5
OpenSSL OpenSSL=3.2.0
pip/cryptography<42.0.2
42.0.2
debian/openssl
1.1.1w-0+deb11u1
1.1.1w-0+deb11u2
3.0.15-1~deb12u1
3.0.14-1~deb12u2
3.3.2-2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203