CVE-2017-7521 — Uncontrolled Resource Consumption in Openvpn

CWE-400 — Uncontrolled Resource Consumption CWE-415 — Double Free CWE-772 — Missing Release of Resource after Effective Lifetime CWE-863 — Incorrect Authorization14 documents8 sources

Severity

9.8CRITICALNVD

NVD5.9OSV5.9

EPSS

0.4%

top 36.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openvpn Debian Openvpn Openvpn Technologies INC Openvpn

Timeline

PublishedJun 27

Latest updateMay 13

Description

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/openvpn< openvpn 2.4.3-1 (bookworm)

▶Debianopenvpn/openvpn< 2.4.3-1+3

▶Ubuntuopenvpn/openvpn< 2.3.2-7ubuntu3.2+1

▶NVDopenvpn/openvpn2.3.16+3

▶CVEListV5openvpn_technologies_inc/openvpnbefore 2.3.17, before 2.4.3+1

🔴Vulnerability Details

GHSA

GHSA-mmxr-6344-9fv5: OpenVPN versions before 2↗2022-05-13

▶

GHSA

GHSA-6574-p8rp-gxqh: Red Hat 3scale (aka RH-3scale) API Management Platform (AMP) before 2↗2022-05-13

▶

OSV

CVE-2017-7521: OpenVPN versions before 2↗2017-06-27

▶

OSV

openvpn vulnerabilities↗2017-06-22

▶

📋Vendor Advisories

Red Hat

AMP: validation bypass in oauth↗2017-07-06

▶

Ubuntu

OpenVPN vulnerabilities↗2017-06-22

▶

Red Hat

openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17↗2017-06-21

▶

Debian

CVE-2017-7521: openvpn - OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-...↗2017

▶

💬Community

HackerOne

4 severe remote + several minor OpenVPN vulnerabilities↗2019-10-14

▶

Bugzilla

CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17↗2017-06-21

▶

Bugzilla

CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 [epel-all]↗2017-06-21

▶

Bugzilla

CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 [fedora-all]↗2017-06-21

▶