SUSE update for openvpn
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-28882 |
| CWE-ID | CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Basesystem Module Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system openvpn-auth-pam-plugin-debuginfo Operating systems & Components / Operating system package or component openvpn-debugsource Operating systems & Components / Operating system package or component openvpn-debuginfo Operating systems & Components / Operating system package or component openvpn-down-root-plugin Operating systems & Components / Operating system package or component openvpn-devel Operating systems & Components / Operating system package or component openvpn-auth-pam-plugin Operating systems & Components / Operating system package or component openvpn Operating systems & Components / Operating system package or component openvpn-down-root-plugin-debuginfo Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Resource management error
EUVDB-ID: #VU92938
Risk: Low
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-28882
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote authenticated client can make the server "keep the session" even when the server has been told to disconnect this client.
MitigationUpdate the affected package openvpn to the latest version.
Vulnerable software versionsBasesystem Module: 15-SP6
SUSE Linux Enterprise Real Time 15: SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
openvpn-auth-pam-plugin-debuginfo: before 2.6.8-150600.3.3.1
openvpn-debugsource: before 2.6.8-150600.3.3.1
openvpn-debuginfo: before 2.6.8-150600.3.3.1
openvpn-down-root-plugin: before 2.6.8-150600.3.3.1
openvpn-devel: before 2.6.8-150600.3.3.1
openvpn-auth-pam-plugin: before 2.6.8-150600.3.3.1
openvpn: before 2.6.8-150600.3.3.1
openvpn-down-root-plugin-debuginfo: before 2.6.8-150600.3.3.1
CPE2.3- cpe:2.3:o:suse:basesystem_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:a:suse:openvpn-auth-pam-plugin-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openvpn-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openvpn-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openvpn-down-root-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openvpn-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openvpn-auth-pam-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openvpn:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openvpn-down-root-plugin-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243502-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
