
Cloud Vulnerability DB
A community-led vulnerabilities database
CVE-2024-12797 is a high-severity vulnerability discovered in OpenSSL affecting versions 3.2, 3.3, and 3.4. The vulnerability was reported by Apple Inc. on December 18, 2024, and involves clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server. The issue occurs when clients fail to notice that the server was not authenticated because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set (OpenSSL Advisory).
The vulnerability affects TLS and DTLS connections using raw public keys. RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that rely on the handshake to fail when the server's RPK fails to match one of the expected public keys by setting the verification mode to SSLVERIFYPEER. The issue was introduced in the initial implementation of RPK support in OpenSSL 3.2 (OpenSSL Advisory).
The vulnerability could lead to man-in-the-middle attacks when server authentication failure is not detected by clients. While clients that enable server-side raw public keys can still detect verification failures by calling SSLgetverify_result() and taking appropriate action, those that don't implement this check are vulnerable to potential attacks (OpenSSL Advisory).
OpenSSL has released patches for affected versions. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.1, OpenSSL 3.3 users should upgrade to OpenSSL 3.3.3, and OpenSSL 3.2 users should upgrade to OpenSSL 3.2.4. The FIPS modules in versions 3.4, 3.3, 3.2, 3.1, and 3.0 are not affected by this issue. Additionally, OpenSSL versions 3.1, 3.0, 1.1.1, and 1.0.2 are not vulnerable (OpenSSL Advisory).
Source: This report was generated using AI
Free Vulnerability Assessment
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
"We know that if Wiz identifies something as critical, it actually is."