CVE-2024-12797 is a high-severity vulnerability in the OpenSSL cryptographic library, identified by Apple Inc. This flaw affects OpenSSL versions 3.2, 3.3, and 3.4 and pertains to the handling of RFC7250 handshakes. Specifically, when clients use raw public keys (RPKs) for server authentication, the handshake may not abort as expected if the server is unauthenticated. This failure can potentially allow attackers to perform man-in-the-middle (MitM) attacks, compromising the security of TLS and DTLS connections that utilize RPKs.
The OpenSSL Project has released updates to address this issue. Users and administrators are strongly advised to upgrade to the latest versions of OpenSSL to mitigate potential risks associated with this vulnerability.
See more details on: