Alpine: libcrypto3, multiple openssl packages: security update to 3.3.0-r3

high Tenable Cloud Security Plugin ID 424307

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was
previously freed in some situations Impact summary: A use after free can have a range of potential
consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only
applications that directly call the SSL_free_buffers function are affected by this issue. Applications
that do not call this function are not vulnerable. Our investigations indicate that this function is
rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer
used when processing an incoming record from the network. The call is only expected to succeed if the
buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even
when still in use. The first scenario occurs where a record header has been received from the network and
processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers
will succeed even though a record has only been partially processed and the buffer is still in use. The
second scenario occurs where a full record containing application data has been received and processed by
OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed
even though the buffer is still in use. While these scenarios could occur accidentally during normal
operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware
of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this
issue. (CVE-2024-4741)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-4741

Plugin Details

Severity: High

ID: 424307

Version: Revision 1.5

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2024-4741

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/16/2024

Reference Information

CVE: CVE-2024-4741

IAVA: 2024-A-0321-S