Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TencentOS Server 4: openssl (TSSA-2024:0289)

🗓️ 20 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 3 Views

TencentOS Server 4 OpenSSL vulnerable to CVE-2024-5535; empty protocol list may crash and leak data

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Multiple Vulnerabilities in IBM API Connect
15 Mar 202500:18
ibm
IBM Security Bulletins		Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities
19 Jun 202505:35
ibm
IBM Security Bulletins		Security Bulletin: Security vulnerability found in package openssl shipped with IBM CICS TX Advanced.
17 Feb 202515:16
ibm
IBM Security Bulletins		Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues
19 Jun 202517:24
ibm
IBM Security Bulletins		Security Bulletin: AIX is vulnerable to arbitrary code execution (CVE-2024-4741) and denial of service (CVE-2024-5535, CVE-2024-4603) due to OpenSSL
30 Jul 202422:02
ibm
IBM Security Bulletins		Security Bulletin: Multiple Vulnerabilities in IBM API Connect
19 Dec 202416:32
ibm
IBM Security Bulletins		Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System [CVE-2024-5535]
28 Jan 202522:08
ibm
IBM Security Bulletins		Security Bulletin: IBM i is affected by errors in OpenSSL as part of IBM Portable Utilities for i due to multiple vulnerabilities.
24 Jul 202517:48
ibm
IBM Security Bulletins		Security Bulletin: Vulnerability in openssl library (CVE-2024-5535) affects Power HMC.
18 Feb 202511:49
ibm
IBM Security Bulletins		Security Bulletin: IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities
11 Sep 202408:43
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2024:0289.
##

include('compat.inc');

if (description)
{
  script_id(276251);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id("CVE-2024-5535");

  script_name(english:"TencentOS Server 4: openssl (TSSA-2024:0289)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by a vulnerability as referenced in the TSSA-2024:0289 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2024-5535:
    Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an
    empty supported client protocols buffer may cause a crash or memory contents to
    be sent to the peer.

    Impact summary: A buffer overread can have a range of potential consequences
    such as unexpected application beahviour or a crash. In particular this issue
    could result in up to 255 bytes of arbitrary private data from memory being sent
    to the peer leading to a loss of confidentiality. However, only applications
    that directly call the SSL_select_next_proto function with a 0 length list of
    supported client protocols are affected by this issue. This would normally never
    be a valid scenario and is typically not under attacker control but may occur by
    accident in the case of a configuration or programming error in the calling
    application.

    The OpenSSL API function SSL_select_next_proto is typically used by TLS
    applications that support ALPN (Application Layer Protocol Negotiation) or NPN
    (Next Protocol Negotiation). NPN is older, was never standardised and
    is deprecated in favour of ALPN. We believe that ALPN is significantly more
    widely deployed than NPN. The SSL_select_next_proto function accepts a list of
    protocols from the server and a list of protocols from the client and returns
    the first protocol that appears in the server list that also appears in the
    client list. In the case of no overlap between the two lists it returns the
    first item in the client list. In either case it will signal whether an overlap
    between the two lists was found. In the case where SSL_select_next_proto is
    called with a zero length client list it fails to notice this condition and
    returns the memory immediately following the client list pointer (and reports
    that there was no overlap in the lists).

    This function is typically called from a server side application callback for
    ALPN or a client side application callback for NPN. In the case of ALPN the list
    of protocols supplied by the client is guaranteed by libssl to never be zero in
    length. The list of server protocols comes from the application and should never
    normally be expected to be of zero length. In this case if the
    SSL_select_next_proto function has been called as expected (with the list
    supplied by the client passed in the client/client_len parameters), then the
    application will not be vulnerable to this issue. If the application has
    accidentally been configured with a zero length server list, and has
    accidentally passed that zero length server list in the client/client_len
    parameters, and has additionally failed to correctly handle a no overlap
    response (which would normally result in a handshake failure in ALPN) then it
    will be vulnerable to this problem.

    In the case of NPN, the protocol permits the client to opportunistically select
    a protocol when there is no overlap. OpenSSL returns the first client protocol
    in the no overlap case in support of this. The list of client protocols comes
    from the application and should never normally be expected to be of zero length.
    However if the SSL_select_next_proto function is accidentally called with a
    client_len of 0 then an invalid memory pointer will be returned instead. If the
    application uses this output as the opportunistic protocol then the loss of
    confidentiality will occur.

    This issue has been assessed as Low severity because applications are most
    likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not
    widely used. It also requires an application configuration or programming error.
    Finally, this issue would not typically be under attacker control making active
    exploitation unlikely.

    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

    Due to the low severity of this issue we are not issuing new releases of
    OpenSSL at this time. The fix will be included in the next releases when they
    become available.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20240289.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-5535");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/08/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:openssl");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'openssl-3.0.12-8.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-3.0.12-8.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-debuginfo-3.0.12-8.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-debuginfo-3.0.12-8.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-debugsource-3.0.12-8.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-debugsource-3.0.12-8.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-devel-3.0.12-8.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-devel-3.0.12-8.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-libs-3.0.12-8.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-libs-3.0.12-8.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-libs-debuginfo-3.0.12-8.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-libs-debuginfo-3.0.12-8.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-perl-3.0.12-8.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'openssl-perl-3.0.12-8.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openssl / openssl-debuginfo / openssl-debugsource / etc');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Nov 2025 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.1
EPSS0.06873
SSVC
openssl vulnerabilitycve 2024 5535application layer negotiationnext protocol negotiationmemory disclosureserver update
3