---

CVE-2017-7521 - log back

CVE-2017-7521 created at 25 Sep 2019 19:31:40
Severity	+ High
Remote	+ Remote
Type	+ Arbitrary code execution
Description	+ A use-after-free has been found in OpenVPN < 2.4.3. The issue is caused by extract_x509_extension() not checking the return value of ASN1_STRING_to_UTF8(), and using then freeing a memory allocation that has already been freed if it failed. The issue requires the use of the --x509-alt-username option with an x509 extension, and is very unlikely to be triggered unless the remote peer can make the local process run out of memory.
References	+ https://github.com/OpenVPN/openvpn/commit/cb4e35ece4 + https://github.com/OpenVPN/openvpn/commit/2d032c7fcd
Notes