CVE-2024-0727

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 3.2 (excluding FIPS modules in 3.2, 3.1, and 3.0)

Description The issue arises from the improper handling of NULL fields in PKCS12 files, leading to a potential Denial of Service attack. Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly due to a NULL pointer dereference. The affected OpenSSL APIs are: PKCS12 parse(), PKCS12 unpack p7data(), PKCS12 unpack p7encdata(), PKCS12 unpack authsafes(), and PKCS12 newpass().

Recommendations As a temporary workaround, consider disabling the use of PKCS12 parse(), PKCS12 unpack p7data(), PKCS12 unpack p7encdata(), PKCS12 unpack authsafes(), and PKCS12 newpass() functions until a patch is available. Restrict access to PKCS12 files from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.