OpenSSL HTTP Client Out-of-Bounds Read Vulnerability in IPv6 Proxy Handling

A vulnerability exists in the OpenSSL HTTP client API that can lead to an out-of-bounds read. This issue arises when the 'no_proxy' environment variable is set and the HTTP URL's host component is an IPv6 address. The out-of-bounds read can cause a crash, leading to a denial-of-service condition for the application. This vulnerability was introduced in OpenSSL versions 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0, and 3.5.0. Notably, the FIPS modules in OpenSSL 3.5, 3.4, 3.3, 3.2, 3.1, and 3.0 are not affected, as the HTTP client implementation falls outside the OpenSSL FIPS module boundary.

Impact

Exploitation of this vulnerability causes an out-of-bounds read that can trigger a crash, leading to a denial-of-service condition for the application.

Reproduction

To reproduce this vulnerability, an application must use the OpenSSL HTTP client API functions and set the 'no_proxy' environment variable. The application should then send a request to a URL that includes an IPv6 address in the host portion. This will trigger the out-of-bounds read condition.

Remediation

Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.4. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.3. Users of OpenSSL 3.3 should upgrade to OpenSSL 3.3.5. Users of OpenSSL 3.2 should upgrade to OpenSSL 3.2.6. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.18.