OpenVPN Critical Vulnerability - 20250110002 (#1154)

wagov · Jan 10, 2025 · 0586f72 · 0586f72
1 parent 8a23e6c
commit 0586f72
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/docs/advisories/20250110002-OpenVPN-Critical-Vulnerability.md b/docs/advisories/20250110002-OpenVPN-Critical-Vulnerability.md
@@ -0,0 +1,18 @@
+# OpenVPN Critical Vulnerability - 20250110002
+
+## Overview
+
+Security vulnerabilities within OpenVPN, first identified and patched in June 2024, has recently been disclosed publicly (as of January 2025) as being critical in severity. Exploitation of the vulnerability(s) allows attackers to inject arbitrary data into third-party executables or plug-ins, allowing them to execute code or cause denial-of-service attacks.
+
+## What is vulnerable?
+
+| Product(s) Affected | Version(s) | CVE                                                                     | CVSS         | Severity            |
+| ------------------- | ---------- | ----------------------------------------------------------------------- | ------------ | ------------------- |
+| OpenVPN             | < 2.6.11   | [CVE-2024-5594](https://nvd.nist.gov/vuln/detail/CVE-2024-5594)         | 9.1          | **Critical**        |
+
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- OpenVPN: <https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html>