CVE-2024-5535: SSL_select_next_proto buffer overread
First published: Thu Jun 27 2024(Updated: )
<p>We are republishing this OpenSSL CVE to document that the latest version Microsoft Defender for Endpoint has been updated to protect against this OpenSSL library vulnerability.</p>
Credit: openssl-security@openssl.org openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openssl | <=1.1.1w-0+deb11u1<=1.1.1n-0+deb11u5<=3.0.14-1~deb12u1<=3.0.14-1~deb12u2 | 3.3.2-1 |
| Microsoft Azure Linux 3.0 ARM | ||
| Microsoft Defender for Endpoint for iOS | ||
| Microsoft Azure Linux 3.0 x64 | ||
| Microsoft CBL-Mariner | ||
| Microsoft CBL-Mariner | ||
| Microsoft Defender for Endpoint |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2024/06/27/1
- http://www.openwall.com/lists/oss-security/2024/06/28/4
- https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37
- https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e
- https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c
- https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c
- https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c
- https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87
- https://security.netapp.com/advisory/ntap-20240712-0005/
- https://www.openssl.org/news/secadv/20240627.txt
- https://github.com/openssl/openssl/commit/2ebbe2d7ca8551c4cb5fbb391ab9af411708090e
- https://github.com/openssl/openssl/commit/c6e1ea223510bb7104bf0c41c0c45eda5a16b718
- https://github.com/openssl/openssl/commit/fc8ff75814767d6c55ea78d05adc72cd346d0f0a
- https://github.com/openssl/openssl/commit/a210f580f450bbd08fac85f06e27107b8c580f9b
- https://github.com/openssl/openssl/commit/0d883f6309b6905d29ffded6d703ded39385579c
- https://github.com/openssl/openssl/commit/9925c97a8e8c9887765a0979c35b516bc8c3af85
- https://github.com/openssl/openssl/commit/e10a3a84bf73a3e6024c338b51f2fb4e78a3dee9
- https://github.com/openssl/openssl/commit/238fa464d6e38aa2c92af70ef9580c74cff512e4
- https://github.com/openssl/openssl/commit/de71058567b84c6e14b758a383e1862eb3efb921
- https://github.com/openssl/openssl/commit/214c724e00d594c3eecf4b740ee7af772f0ee04a
- https://security-tracker.debian.org/tracker/CVE-2024-5535
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535
- https://nvd.nist.gov/vuln/detail/CVE-2024-5535
- https://launchpad.net/bugs/cve/CVE-2024-5535
- https://ubuntu.com/security/CVE-2024-5535
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5535 (Advisory)
- https://www.ibm.com/support/pages/node/7182403 (Advisory)
- https://access.redhat.com/errata/RHSA-2024:7846
- https://access.redhat.com/errata/RHSA-2024:7847
- https://access.redhat.com/errata/RHSA-2024:7848
- https://access.redhat.com/errata/RHSA-2024:9333
- https://access.redhat.com/errata/RHSA-2025:1671
- https://access.redhat.com/errata/RHSA-2025:1673
- https://bugzilla.redhat.com/show_bug.cgi?id=2294581
Frequently Asked Questions
What is the severity of CVE-2024-5535?
CVE-2024-5535 is classified as a moderate severity vulnerability due to its potential impact on applications using OpenSSL.
How do I fix CVE-2024-5535?
To fix CVE-2024-5535, update your OpenSSL to version 3.3.2-1 or later if you are using an affected distribution.
What software is affected by CVE-2024-5535?
CVE-2024-5535 affects various versions of OpenSSL as implemented in products like Microsoft Azure Linux and Defender for Endpoint.
Does Microsoft Defender protect against CVE-2024-5535?
Yes, the latest version of Microsoft Defender for Endpoint has been updated to protect against CVE-2024-5535.
What is the OpenSSL API function related to CVE-2024-5535?
CVE-2024-5535 is related to the OpenSSL API function SSL_select_next_proto when called with an empty supported client list.
- agent/title
- agent/weakness
- agent/type
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-5535
- collector/nvd-api
- source/NVD
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/remedy
- agent/first-publish-date
- collector/nvd-cve
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- collector/msrc
- source/Microsoft
- collector/mitre-cve
- source/MITRE
- collector/msrc-cve
- agent/severity
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/references
- agent/last-modified-date
- agent/source
- agent/description
- agent/tags
- agent/event
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/debian
- vendor/microsoft
- canonical/microsoft azure linux 3.0 arm
- canonical/microsoft defender for endpoint for ios
- canonical/microsoft azure linux 3.0 x64
- canonical/microsoft cbl-mariner
- canonical/microsoft defender for endpoint