CVE-2024-2511

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 3.3.0

Description The issue is related to unbounded memory growth when processing TLSv1.3 sessions due to the use of the non-default SSL OP NO TICKET option. This can lead to a Denial of Service. The problem occurs when the session cache gets into an incorrect state and fails to flush properly as it fills. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. This issue only affects TLS servers supporting TLSv1.3 and does not affect TLS clients. The FIPS modules in 3.2, 3.1, and 3.0 are not affected by this issue, nor is OpenSSL 1.0.2.

Recommendations To resolve the issue, update to OpenSSL version 3.3.0 or later. As a temporary workaround, consider disabling the use of the SSL OP NO TICKET option in TLSv1.3 server configurations until a patch is available. Restrict access to TLSv1.3 sessions to minimize the risk of exploitation. Avoid using the SSL OP NO TICKET option in TLSv1.3 server configurations until the issue is resolved.