PT-2020-12625 · Openvpn · Openvpn Access Server
Published
2020-05-04
·
Updated
2020-05-12
·
CVE-2020-11462
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
OpenVPN Access Server versions 2.7.0 and earlier
OpenVPN Access Server versions 2.8.x through 2.8.2
Description
An issue was discovered in OpenVPN Access Server. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed.
Recommendations
For OpenVPN Access Server versions 2.7.0 and earlier, update to version 2.7.0 or later.
For OpenVPN Access Server versions 2.8.x through 2.8.2, update to version 2.8.3 or later.
As a temporary workaround, consider disabling the full featured RPC2 interface until a patch is available.
Fix
XML Entity Expansion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openvpn Access Server