CVE-2024-6119

Issue summary: Applications performing certificate name checks (e.g., TLS<br /> clients checking server certificates) may attempt to read an invalid memory<br /> address resulting in abnormal termination of the application process.<br /> <br /> Impact summary: Abnormal termination of an application can a cause a denial of<br /> service.<br /> <br /> Applications performing certificate name checks (e.g., TLS clients checking<br /> server certificates) may attempt to read an invalid memory address when<br /> comparing the expected name with an `otherName` subject alternative name of an<br /> X.509 certificate. This may result in an exception that terminates the<br /> application program.<br /> <br /> Note that basic certificate chain validation (signatures, dates, ...) is not<br /> affected, the denial of service can occur only when the application also<br /> specifies an expected DNS name, Email address or IP address.<br /> <br /> TLS servers rarely solicit client certificates, and even when they do, they<br /> generally don&amp;#39;t perform a name check against a reference identifier (expected<br /> identity), but rather extract the presented identity after checking the<br /> certificate chain. So TLS servers are generally not affected and the severity<br /> of the issue is Moderate.<br /> <br /> The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.