UBUNTU-CVE-2024-41996

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-41996

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-41996.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-41996

Related

CVE-2024-41996

Published

2024-08-26T06:15:00Z

Modified

2025-06-02T17:27:44Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

References

Affected packages

Ubuntu:22.04:LTS / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@12.22.9~dfsg-1ubuntu3.6?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

12.*

12.22.5~dfsg-5ubuntu1

12.22.7~dfsg-2ubuntu1

12.22.7~dfsg-2ubuntu3

12.22.9~dfsg-1ubuntu2

12.22.9~dfsg-1ubuntu3

12.22.9~dfsg-1ubuntu3.1

12.22.9~dfsg-1ubuntu3.2

12.22.9~dfsg-1ubuntu3.3

12.22.9~dfsg-1ubuntu3.4

12.22.9~dfsg-1ubuntu3.5

12.22.9~dfsg-1ubuntu3.6

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:22.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.19?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.1l-1ubuntu1

3.*

3.0.0-1ubuntu1

3.0.1-0ubuntu1

3.0.2-0ubuntu1

3.0.2-0ubuntu1.1

3.0.2-0ubuntu1.2

3.0.2-0ubuntu1.4

3.0.2-0ubuntu1.5

3.0.2-0ubuntu1.6

3.0.2-0ubuntu1.7

3.0.2-0ubuntu1.8

3.0.2-0ubuntu1.9

3.0.2-0ubuntu1.10

3.0.2-0ubuntu1.12

3.0.2-0ubuntu1.13

3.0.2-0ubuntu1.14

3.0.2-0ubuntu1.15

3.0.2-0ubuntu1.16

3.0.2-0ubuntu1.17

3.0.2-0ubuntu1.18

3.0.2-0ubuntu1.19

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:Pro:FIPS-preview:22.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.12+Fips1?arch=source&distro=fips-preview/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.2-0ubuntu1.10+Fips1

3.0.2-0ubuntu1.12+Fips1

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:Pro:FIPS-updates:22.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.19+Fips1?arch=source&distro=fips-updates/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.2-0ubuntu1.10+Fips1

3.0.2-0ubuntu1.12+Fips1

3.0.2-0ubuntu1.14+Fips1

3.0.2-0ubuntu1.15+Fips1

3.0.2-0ubuntu1.16+Fips1

3.0.2-0ubuntu1.17+Fips1

3.0.2-0ubuntu1.18+Fips1

3.0.2-0ubuntu1.19+Fips1

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:24.10 / edk2

Package

Name: edk2
Purl: pkg:deb/ubuntu/edk2@2024.05-2ubuntu0.3?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2024.*

2024.02-2

2024.05-1

2024.05-1ubuntu2

2024.05-2

2024.05-2ubuntu0.1

2024.05-2ubuntu0.2

2024.05-2ubuntu0.3

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:24.10 / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.3.1-2ubuntu2.1?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.13-0ubuntu3

3.0.13-0ubuntu4

3.2.1-3ubuntu1

3.2.2-1ubuntu1

3.2.2-1ubuntu3

3.3.1-2ubuntu1

3.3.1-2ubuntu2

3.3.1-2ubuntu2.1

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:24.04:LTS / edk2

Package

Name: edk2
Purl: pkg:deb/ubuntu/edk2@2024.02-2ubuntu0.3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2023.*

2023.05-2

2023.11-2

2023.11-3

2023.11-4

2023.11-5

2023.11-6

2023.11-8

2024.*

2024.02-1

2024.02-2

2024.02-2ubuntu0.1

2024.02-2ubuntu0.3

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:24.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.13-0ubuntu3.5?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.10-1ubuntu2

3.0.10-1ubuntu2.1

3.0.10-1ubuntu3

3.0.10-1ubuntu4

3.0.13-0ubuntu2

3.0.13-0ubuntu3

3.0.13-0ubuntu3.1

3.0.13-0ubuntu3.2

3.0.13-0ubuntu3.3

3.0.13-0ubuntu3.4

3.0.13-0ubuntu3.5

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:25.04 / edk2

Package

Name: edk2
Purl: pkg:deb/ubuntu/edk2@2025.02-3ubuntu2?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2024.*

2024.05-2ubuntu0.1

2024.08-4

2024.11-1

2024.11-2

2024.11-5

2025.*

2025.02-3ubuntu1

2025.02-3ubuntu2

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}

Ubuntu:25.04 / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.4.0-1ubuntu2?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0-1ubuntu2

Affected versions

3.*

3.3.1-2ubuntu2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "3.4.0-1ubuntu2",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.4.0-1ubuntu2",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.4.0-1ubuntu2",
            "binary_name": "libssl3t64"
        },
        {
            "binary_version": "3.4.0-1ubuntu2",
            "binary_name": "libssl3t64-dbgsym"
        },
        {
            "binary_version": "3.4.0-1ubuntu2",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.4.0-1ubuntu2",
            "binary_name": "openssl-dbgsym"
        },
        {
            "binary_version": "3.4.0-1ubuntu2",
            "binary_name": "openssl-provider-legacy"
        },
        {
            "binary_version": "3.4.0-1ubuntu2",
            "binary_name": "openssl-provider-legacy-dbgsym"
        }
    ],
    "priority_reason": "Resource consumption issue considered a bug fix by OpenSSL developers"
}