Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-5535
CVE-2024-5535:
MySQL vulnerability analysis and mitigation
Overview
CVE-2024-5535 affects the OpenSSL API function SSLselectnext_proto, where calling this function with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. The vulnerability was discovered on May 2, 2024, and affects OpenSSL versions 3.3, 3.2, 3.1, 3.0, 1.1.1, and 1.0.2. This issue has been assessed as Low severity due to its limited scope and exploitation requirements (OpenSSL Advisory).
Technical details
The vulnerability occurs in the SSLselectnext_proto function, which is used by TLS applications supporting ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). When called with a zero-length client list, the function fails to notice this condition and returns memory immediately following the client list pointer, reporting no overlap in the lists. The function is typically called from a server-side application callback for ALPN or a client-side application callback for NPN. The FIPS modules in versions 3.3, 3.2, 3.1, and 3.0 are not affected by this issue (OpenSSL Advisory).
Impact
The buffer overread vulnerability can lead to multiple consequences, including unexpected application behavior, crashes, and potential disclosure of up to 255 bytes of arbitrary private data from memory to the peer, resulting in a loss of confidentiality. The vulnerability has been assigned a CVSS 3.1 Base Score of 9.1 CRITICAL by CISA-ADP with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (NVD).
Mitigation and workarounds
Due to the low severity of this issue, OpenSSL is not issuing immediate new releases. The fix will be included in future releases: OpenSSL 3.3.2, 3.2.3, 3.1.7, and 3.0.15. Premium support customers will receive fixes in versions 1.1.1za and 1.0.2zk. The fixes are available in commits e86ac436f0 (3.3), 99fb785a5f (3.2), 4ada436a19 (3.1), and cf6f91f612 (3.0) in the OpenSSL git repository (OpenSSL Advisory).
Community reactions
Security researchers have commented on OpenSSL's tendency to maintain legacy features. Hanno Böck specifically mentioned this vulnerability in a discussion about deprecating old protocols, suggesting that the NPN code (affected by CVE-2024-5535) should be removed as it was replaced by ALPN a decade ago (OSS Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management