CVE-2024-6119: 
OpenSSL vulnerability analysis and mitigation

CVE-2024-6119 affects OpenSSL versions 3.3, 3.2, 3.1, and 3.0, discovered on June 16, 2024. The vulnerability involves applications performing certificate name checks, particularly TLS clients checking server certificates, which may attempt to read an invalid memory address. This issue affects certificate name validation functionality but does not impact basic certificate chain validation (signatures, dates, etc.) (OpenSSL Advisory).

The vulnerability occurs when comparing the expected name with an otherName subject alternative name of an X.509 certificate. The GENERAL_TYPE data type is a union, and incorrect access of member fields based on gen->type can lead to a segfault. The issue specifically arises during certificate name checks when the application specifies an expected DNS name, Email address, or IP address (OpenSSL Advisory, GitHub Commit).

The vulnerability can result in abnormal termination of the application process, causing a denial of service (DoS). The impact is considered Moderate as TLS servers rarely solicit client certificates, and even when they do, they generally don't perform name checks against reference identifiers. The FIPS modules in affected versions are not impacted by this vulnerability (OpenSSL Advisory).

Users should upgrade to the following fixed versions: OpenSSL 3.3.2 for 3.3 users, OpenSSL 3.2.3 for 3.2 users, OpenSSL 3.1.7 for 3.1 users, and OpenSSL 3.0.15 for 3.0 users. OpenSSL versions 1.1.1 and 1.0.2 are not affected by this vulnerability (OpenSSL Advisory).