OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2.
{
"unresolved_ranges": [
{
"source": "CPE_STRING",
"vendor_product": "openvpn:openvpn",
"extracted_events": [
{
"introduced": "2.3.12"
},
{
"last_affected": "2.3.12"
},
{
"introduced": "2.4.0-alpha2"
},
{
"last_affected": "2.4.0-alpha2"
},
{
"introduced": "2.4.0-alpha2"
},
{
"last_affected": "2.4.0-alpha2"
},
{
"introduced": "2.4.0-beta1"
},
{
"last_affected": "2.4.0-beta1"
},
{
"introduced": "2.4.0-beta1"
},
{
"last_affected": "2.4.0-beta1"
},
{
"introduced": "2.4.0-beta2"
},
{
"last_affected": "2.4.0-beta2"
},
{
"introduced": "2.4.0-beta2"
},
{
"last_affected": "2.4.0-beta2"
},
{
"introduced": "2.4.0-rc1"
},
{
"last_affected": "2.4.0-rc1"
},
{
"introduced": "2.4.0-rc1"
},
{
"last_affected": "2.4.0-rc1"
},
{
"introduced": "2.4.0-rc2"
},
{
"last_affected": "2.4.0-rc2"
},
{
"introduced": "2.4.0-rc2"
},
{
"last_affected": "2.4.0-rc2"
}
],
"cpes": [
"cpe:2.3:a:openvpn:openvpn:2.3.12:*:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.4.0:alpha2:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.4.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.4.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.4.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.4.0:rc2:*:*:*:*:*:*"
]
}
]
}{
"cpe": [
"cpe:2.3:a:openvpn:openvpn:2.3.12:*:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.3.13:*:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.3.14:*:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:openvpn:openvpn:2.4.1:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "2.3.12"
},
{
"last_affected": "2.3.12"
},
{
"introduced": "2.3.13"
},
{
"last_affected": "2.3.13"
},
{
"introduced": "2.3.14"
},
{
"last_affected": "2.3.14"
},
{
"introduced": "2.4.0"
},
{
"last_affected": "2.4.0"
},
{
"introduced": "2.4.1"
},
{
"last_affected": "2.4.1"
}
]
}