CVE-2024-5535 is a vulnerability in OpenSSL to do with NPN. OpenSSL say it's not a high priority, but they have patched it. Unfortunately that patch hasn't made it to Ubuntu 22.04, and NIST have flagged the vulnerability as critical - 9.something. Which means any corporate users with security auditing have a problem - the auditors see the 9 and say "It must go". Does anybody have any idea about what to do about this? cheers, clive (struggling with security auditors)
According to the security notice, CVE-2024-5535 has been fixed for openssl in Ubuntu 22.04. https://ubuntu.com/security/CVE-2024-5535
From an AUDITOR perspective, a “critical” vulnerability does not mean your audit will fail (if so, fire that guy !!!). What is needed is an evaluation of the vulnerability and how it affects your risk assessment process. If your team come to the conclusion “well, we know about it but, without any special circumstances no one can exploit it” then it's fine and falls under the term “risk acceptance”. There is also the “risk mitigation” which will place some other technical/human means to (you may guess) mitigate a risk. Let's assume the risk is really high and no fix is available and immediate action is needed ... well, in that case, you have to find a solution without that CVE (in the worst case scenario, a different system). Anyway: The importance is the written justification, which is based on your risk treatment process. But for god’s sake: Don't get mislead by a CVE number
Ubuntu Forums Code of Conduct
