CVE-2024-4741: 
OpenSSL vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2024-4741) was discovered in OpenSSL's SSLfreebuffers API function. The vulnerability affects OpenSSL versions 3.3, 3.2, 3.1, 3.0 and 1.1.1, with the issue being reported on April 10th, 2024 by William Ahern from Akamai (OpenSSL Advisory).

The vulnerability occurs when calling the OpenSSL API function SSLfreebuffers, which may cause memory to be accessed that was previously freed in specific situations. Two scenarios have been identified: 1) When a record header has been received and processed, but the full record body hasn't arrived yet, and 2) When a full record containing application data has been received and processed but the application has only read part of this data. In both cases, calling SSLfreebuffers will succeed even though the buffer is still in use (OpenSSL Advisory).

The use-after-free vulnerability can potentially lead to corruption of valid data, system crashes, or execution of arbitrary code. However, the impact is limited as only applications that directly call the SSLfreebuffers function are affected. Applications that do not call this function are not vulnerable. OpenSSL's investigations indicate that this function is rarely used by applications (OpenSSL Advisory).

OpenSSL users should upgrade to the following versions once they become available: OpenSSL 3.3.1, OpenSSL 3.2.2, OpenSSL 3.1.6, OpenSSL 3.0.14, or OpenSSL 1.1.1y (premium support customers only). Due to the low severity of this issue, OpenSSL is not issuing immediate new releases. The fix will be included in the next releases. The fix is available in various commits for different versions in the OpenSSL git repository (OpenSSL Advisory).