This Red Hat security advisory addresses four vulnerabilities in OpenSSL and openssl-fips-provider affecting Red Hat Enterprise Linux 9. The vulnerabilities include unbounded memory growth during TLSv1.3 session handling (CVE-2024-2511), excessive processing time during DSA key and parameter checks (CVE-2024-4603), a use-after-free condition in SSL_free_buffers (CVE-2024-4741), and a buffer overread in SSL_select_next_proto (CVE-2024-5535). These issues could lead to resource exhaustion or memory corruption but have been rated with low security impact by Red Hat. The advisory provides updated package versions to fix these issues. The vendor has published detailed release notes and update instructions. No CVSS scores are provided in the advisory, and no active exploitation has been reported.

The vulnerabilities could cause unbounded memory growth, excessive CPU usage, use-after-free memory corruption, or buffer overread conditions in OpenSSL TLS operations. These issues may affect system stability or security but have been assessed by Red Hat as having low security impact. There are no reports of known exploits in the wild targeting these vulnerabilities. The impact is limited to affected Red Hat Enterprise Linux 9 systems running the vulnerable OpenSSL packages.

A security update for openssl and openssl-fips-provider packages is available for Red Hat Enterprise Linux 9. Users should apply the update as described in the Red Hat advisory RHSA-2024:9333 and the linked article https://access.redhat.com/articles/11258. This update addresses all four vulnerabilities. Since the advisory rates the impact as low and provides an official fix, applying the update is the recommended remediation. No additional mitigation steps are indicated by the vendor.