CVE-2024-7346

Client connections using default TLS certificates from OpenEdge may bypass TLS host name validation

Description

Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.  This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.  The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.

Remediation

Solution:

  • Use the 12.8.0 or above LTS release where the vulnerability does not exist
  • Use the 12.2 LTS release at the 12.2.15 Update level or above
  • Use the 11.7 LTS release at the 11.7.20 Update level or above

Workaround:

  • Replace all use of default OpenEdge TLS certificates with a CA-signed certificate from a recognized certificate authority that contains the necessary information to support host name validation
  • Use the "nohostverify" switch in development environments when clients need to bypass host name validation as a convenience prior to establishing valid certificates for production.

Categories

7.2
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.02%
Vendor Advisory progress.com
Affected: Progress OpenEdge
Published at:
Updated at:

References

Link Tags
https://community.progress.com/s/article/Client-connections-using-default-TLS-certificates-from-OpenEdge-may-bypass-TLS-host-name-validation mitigation vendor advisory

Frequently Asked Questions

What is the severity of CVE-2024-7346?
CVE-2024-7346 has been scored as a high severity vulnerability.
How to fix CVE-2024-7346?
To fix CVE-2024-7346: Use the 12.8.0 or above LTS release where the vulnerability does not exist
Is CVE-2024-7346 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-7346 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-7346?
CVE-2024-7346 affects Progress OpenEdge.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.