Plattform
openssl
Komponente
openssl
Behoben in
0.10.9
CVE-2018-20997 describes a Use-After-Free vulnerability discovered in the OpenSSL crate. This flaw allows attackers to potentially trigger a denial of service or execute arbitrary code by exploiting memory management errors. The vulnerability affects versions of OpenSSL prior to 0.10.9. A fix has been released in version 0.10.9.
The Use-After-Free vulnerability in OpenSSL allows an attacker to access or manipulate memory that has already been freed. This can lead to a denial of service by crashing the OpenSSL library or, more critically, allow the attacker to execute arbitrary code on the system. Successful exploitation could grant an attacker complete control over the affected system, enabling them to steal sensitive data, install malware, or compromise the entire network. The severity of this vulnerability is heightened by OpenSSL's widespread use in securing network communications and cryptographic operations.
CVE-2018-20997 was publicly disclosed on June 1, 2018. While no active exploitation campaigns have been definitively linked to this specific CVE, the Use-After-Free nature of the vulnerability makes it a high-priority target for attackers. Public proof-of-concept exploits may exist or emerge, increasing the risk of exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Applications and systems that rely on the OpenSSL crate, particularly those handling sensitive data or performing critical operations, are at risk. This includes Rust-based web applications, command-line tools, and embedded systems utilizing the crate for secure communication.
• rust / supply-chain: Examine dependencies for versions prior to 0.10.9 using cargo audit. Check for unusual memory access patterns in code using OpenSSL crate functions.
• generic web: Monitor application logs for crashes or errors related to OpenSSL.
• database (mysql, redis, mongodb, postgresql): If OpenSSL is used for TLS/SSL connections, check the OpenSSL version used by the database client library.
disclosure
Exploit-Status
EPSS
0.50% (66% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2018-20997 is to upgrade to OpenSSL version 0.10.9 or later. If an immediate upgrade is not possible due to compatibility issues or system downtime concerns, consider implementing temporary workarounds such as restricting network access to the affected system or implementing stricter input validation to prevent malicious data from reaching OpenSSL. While a WAF cannot directly address this memory corruption vulnerability, it can help mitigate potential exploitation attempts by filtering suspicious traffic patterns. After upgrading, confirm the fix by verifying the OpenSSL version using openssl version and testing the application's functionality to ensure stability.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2018-20997 is a critical vulnerability in the OpenSSL crate where memory is accessed after it has been freed, potentially leading to code execution.
You are affected if you are using the OpenSSL crate versions prior to 0.10.9. Check your project dependencies to determine if you are vulnerable.
Upgrade to OpenSSL crate version 0.10.9 or later to resolve this vulnerability. Ensure all dependent libraries are also updated.
While no confirmed active exploitation campaigns are publicly known, Use-After-Free vulnerabilities are frequently targeted, so vigilance is advised.
Refer to the OpenSSL project's security advisories and release notes for details: https://www.openssl.org/news/security/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.