Lucene search
K

Alibaba Cloud Linux 3 : 0167: openssl (ALINUX3-SA-2026:0167)

🗓️ 01 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Alibaba Cloud Linux 3 updates OpenSSL to fix CVE 2024 4741 use-after-free in SSL_free_buffers.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale System are now fixed in Storage Scale System 6.2.3.3 and 7.0.0.0 or higher
15 Dec 202520:22
ibm
IBM Security Bulletins
Security Bulletin: Multiple Vulnerabilities in IBM API Connect
15 Mar 202500:18
ibm
IBM Security Bulletins
Security Bulletin: IBM Watson Speech Services Cartridge v5.1.1 is vulnerable to multiple Operator package issues
2 Apr 202517:43
ibm
IBM Security Bulletins
Security Bulletin: IBM MaaS360 Cloud Extender VPN Module affected by vulnerability (CVE-2024-4741)
17 Jul 202414:49
ibm
IBM Security Bulletins
Security Bulletin: IBM QRadar Wincollect is using components with known vulnerabilities
9 Jul 202417:03
ibm
IBM Security Bulletins
Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to multiple Operator package issues
1 May 202521:38
ibm
IBM Security Bulletins
Security Bulletin: Security vulnerability found in package openssl shipped with IBM CICS TX Advanced.
17 Feb 202515:16
ibm
IBM Security Bulletins
Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates
6 Aug 202516:37
ibm
IBM Security Bulletins
Security Bulletin: AIX is vulnerable to arbitrary code execution (CVE-2024-4741) and denial of service (CVE-2024-5535, CVE-2024-4603) due to OpenSSL
30 Jul 202422:02
ibm
IBM Security Bulletins
Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in OpenSSL (CVE-2024-4741)
28 Mar 202518:51
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Alibaba Cloud Linux Security Advisory ALINUX3-SA-2026:0167.
##

include('compat.inc');

if (description)
{
  script_id(324085);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/01");

  script_cve_id("CVE-2024-4741", "CVE-2026-45447");

  script_name(english:"Alibaba Cloud Linux 3 : 0167: openssl (ALINUX3-SA-2026:0167)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Alibaba Cloud Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced
in the ALINUX3-SA-2026:0167 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2024-4741:
    Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause
    memory to be accessed that was previously freed in some situations
    Impact summary: A use after free can have a range of potential consequences such
    as the corruption of valid data, crashes or execution of arbitrary code.
    However, only applications that directly call the SSL_free_buffers function are
    affected by this issue. Applications that do not call this function are not
    vulnerable. Our investigations indicate that this function is rarely used by
    applications.
    The SSL_free_buffers function is used to free the internal OpenSSL buffer used
    when processing an incoming record from the network. The call is only expected
    to succeed if the buffer is not currently in use. However, two scenarios have
    been identified where the buffer is freed even when still in use.
    The first scenario occurs where a record header has been received from the
    network and processed by OpenSSL, but the full record body has not yet arrived.
    In this case calling SSL_free_buffers will succeed even though a record has only
    been partially processed and the buffer is still in use.
    The second scenario occurs where a full record containing application data has
    been received and processed by OpenSSL but the application has only read part of
    this data. Again a call to SSL_free_buffers will succeed even though the buffer
    is still in use.
    While these scenarios could occur accidentally during normal operation a
    malicious attacker could attempt to engineer a stituation where this occurs.
    We are not aware of this issue being actively exploited.
    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

    CVE-2026-45447:
    Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
    trigger a use-after-free during PKCS#7 signature verification.
    Impact summary: A use-after-free may result in process crashes, heap
    corruption, or potentially remote code execution.
    When processing a PKCS#7 or S/MIME signed message, if the SignedData
    digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may
    incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent
    use of the BIO by the calling application results in a use-after-free
    condition.
    In the common case this occurs when the application later calls
    BIO_free() on the BIO originally passed to PKCS7_verify(). Depending
    on allocator behavior and application-specific BIO usage patterns, this
    may result in a crash or other memory corruption. In some application
    contexts this may potentially be exploitable for remote code execution.
    Applications that process PKCS#7 or S/MIME signed messages using OpenSSL
    PKCS#7 APIs may be affected. Applications using the CMS APIs for this
    processing are not affected.
    The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
    issue, as the affected code is outside the OpenSSL FIPS module boundary.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20260167.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-45447");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:openssl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:openssl-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:openssl-perl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:openssl-static");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alibabacloud:alibaba_cloud_linux_3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Alibaba Cloud Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Alibaba/release", "Host/Alibaba/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Alibaba Cloud Linux' >!< os_product) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Alibaba Cloud Linux');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux 3.x', 'Alibaba Cloud Linux ' + os_version);

if (!get_kb_item('Host/Alibaba/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Alibaba Cloud Linux', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'openssl-1.1.1k-16.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-1.1.1k-16.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-devel-1.1.1k-16.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-devel-1.1.1k-16.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-libs-1.1.1k-16.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-libs-1.1.1k-16.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-perl-1.1.1k-16.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-perl-1.1.1k-16.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-static-1.1.1k-16.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'openssl-static-1.1.1k-16.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openssl / openssl-devel / openssl-libs / openssl-perl / etc');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Jul 2026 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 3.18.8
EPSS0.02945
SSVC
2