CVE-2024-7346: Client connections using default TLS certificates from OpenEdge may bypass TLS host name validation
First published: Tue Sep 03 2024(Updated: )
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
Credit: security@progress.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Progress OpenEdge | <=11.7.19 | |
| Progress OpenEdge | >=12.0<=12.2.14 |
Remedy
Use the 12.8.0 or above LTS release where the vulnerability does not exist
Remedy
Use the 12.2 LTS release at the 12.2.15 Update level or above
Remedy
Use the 11.7 LTS release at the 11.7.20 Update level or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-7346?
CVE-2024-7346 has been assessed to have a moderate severity level due to the potential bypass of host name validation.
How do I fix CVE-2024-7346?
To fix CVE-2024-7346, ensure that default TLS certificates are no longer used and implement custom certificates that enforce host name validation.
Which versions of Progress OpenEdge are affected by CVE-2024-7346?
CVE-2024-7346 affects Progress OpenEdge versions up to and including 11.7.19, as well as versions between 12.0 and 12.2.14.
What is the impact of CVE-2024-7346 on network security?
The impact of CVE-2024-7346 can lead to compromised security as it allows attackers to potentially intercept and manipulate communications due to bypassed host name validation.
Is there a workaround for CVE-2024-7346?
A possible workaround for CVE-2024-7346 is to replace the default certificates with verified custom certificates that enforce proper host name validation.
- agent/remedy
- agent/title
- agent/references
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- vendor/progress
- canonical/progress openedge
- version/progress openedge/11.7.19
- version/progress openedge/12.0
- version/progress openedge/12.2.14