CVE-2024-7346: Client connections using default TLS certificates from OpenEdge may bypass TLS host name validation
First published: Tue Sep 03 2024(Updated: )
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
Credit: security@progress.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Progress OpenEdge | <=11.7.19 | |
| Progress OpenEdge | >=12.0<=12.2.14 |
Remedy
Use the 12.8.0 or above LTS release where the vulnerability does not exist
Remedy
Use the 12.2 LTS release at the 12.2.15 Update level or above
Remedy
Use the 11.7 LTS release at the 11.7.20 Update level or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/references
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/softwarecombine
- agent/tags
- vendor/progress
- canonical/progress openedge
- version/progress openedge/11.7.19
- version/progress openedge/12.0
- version/progress openedge/12.2.14