Results 1 to 3 of 3

Thread: CVE-2024-5535 - OpenSSL NPN vulnerability

  1. #1
    Join Date
    Sep 2024
    Beans
    1

    CVE-2024-5535 - OpenSSL NPN vulnerability

    CVE-2024-5535 is a vulnerability in OpenSSL to do with NPN. OpenSSL say it's not a high priority, but they have patched it.

    Unfortunately that patch hasn't made it to Ubuntu 22.04, and NIST have flagged the vulnerability as critical - 9.something. Which means any corporate users with security auditing have a problem - the auditors see the 9 and say "It must go".

    Does anybody have any idea about what to do about this?

    cheers,
    clive

    (struggling with security auditors)

  2. #2
    Join Date
    Apr 2008
    Beans
    113

    Re: CVE-2024-5535 - OpenSSL NPN vulnerability

    According to the security notice, CVE-2024-5535 has been fixed for openssl in Ubuntu 22.04.

    https://ubuntu.com/security/CVE-2024-5535

  3. #3
    Join Date
    Mar 2014
    Location
    Germany
    Beans
    16
    Distro
    Xubuntu

    Re: CVE-2024-5535 - OpenSSL NPN vulnerability

    From an AUDITOR perspective, a “critical” vulnerability does not mean your audit will fail (if so, fire that guy !!!).

    What is needed is an evaluation of the vulnerability and how it affects your risk assessment process.

    If your team come to the conclusion “well, we know about it but, without any special circumstances no one can exploit it” then it's fine and falls under the term “risk acceptance”.
    There is also the “risk mitigation” which will place some other technical/human means to (you may guess) mitigate a risk.

    Let's assume the risk is really high and no fix is available and immediate action is needed ... well, in that case, you have to find a solution without that CVE (in the worst case scenario, a different system).

    Anyway:
    The importance is the written justification, which is based on your risk treatment process.

    But for god’s sake: Don't get mislead by a CVE number

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •