Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2d5bc5c3-81b9-4ab3-b477-7cf19c7acdbd@christopher-kunz.de>
Date: Thu, 24 Oct 2024 10:41:18 +0200
From: "Dr. Christopher Kunz" <info@...istopher-kunz.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m)
 parameters lead to OOB memory access

Am 23.10.24 um 11:10 schrieb Dr. Christopher Kunz:
>
>
> while OpenSSL rates this issue as "low severity", SuSE assesses it as 
> "moderate", with a CVSS 3.1 of 7.0 
> (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).
>
> I'm curious about these two quite different assessments. Could OpenSSL 
> and SuSE maybe elaborate a little? 

FWIW,

both parties answered off-list (I needed an answer during the german 
business day and got held up by moderation).

The difference is that OpenSSL does not adhere to CVSS-style risk 
assessment, but assesses the severity of the bug together with the 
likelihood of exploitation. Due to the latter being extremely low, the 
overall assessment is "low".

SuSE, however, used vanilla CVSS3.1 assessment which does not include 
exploitability metrics beyond "AC:H".

That explains the different scores.

Best regards,

--cku

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.