CVE-2024-28882: 
OpenVPN vulnerability analysis and mitigation

OpenVPN versions from 2.6.0 through 2.6.10, when operating in a server role, contain a vulnerability where the server accepts multiple exit notifications from authenticated clients, which can extend the validity of a closing session. This vulnerability was assigned CVE-2024-28882 and was publicly disclosed on July 8, 2024 (NVD).

The vulnerability is classified as CWE-772 (Missing Release of Resource after Effective Lifetime). The issue was introduced in version 2.6.0 beta1 through commit d468dff7bdfd79059818c190ddf41b125bb658de and has been assigned a CVSS 3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (Debian Tracker, NVD).

The vulnerability affects resource management in OpenVPN servers, potentially leading to extended session validity beyond intended timeframes. This could impact server resource availability and session management capabilities (NVD).

The vulnerability has been fixed in OpenVPN version 2.6.11 through commit 65fb67cd6c320a426567b2922c4282fb8738ba3f. Users are advised to upgrade to this version or later. Several distributions have also released fixed packages, including Ubuntu 24.04 LTS (2.6.9-1ubuntu4.1) and Ubuntu 23.10 (2.6.5-0ubuntu1.2) (Ubuntu Security, Debian Tracker).