Bug 2224962 (CVE-2023-3446)

Summary: CVE-2023-3446 openssl: Excessive time spent checking DH keys and parameters
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acrosby, adudiak, agarcial, aoconnor, asegurap, bdettelb, berrange, bootloader-eng-team, caswilli, cllang, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, fjansen, gmccullo, gzaronik, hkataria, jaredz, jburrell, jclere, jferlan, jmartine, jmitchel, jsherril, jtanner, kaycoth, kraxel, kshier, mlewando, mmadzin, mtguarnera, mturk, ngough, nweather, pbonzini, peholase, pjanda, pjindal, pjones, pkotvan, plodge, psegedy, rgodfrey, rharwood, rh-spice-bugs, rogbas, stcannon, sthirugn, szappis, tsasak, virt-maint, vkrizan, vkumar, vmugicag, yguenane, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenSSL. This security flaw occurs because the applications that use the DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source may lead to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2225349, 2225350, 2225351, 2225352, 2225353, 2225414, 2225415, 2225416, 2225417    
Bug Blocks: 2223014    

Description TEJ RATHI 2023-07-24 05:15:39 UTC 
Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

http://www.openwall.com/lists/oss-security/2023/07/19/4 	
http://www.openwall.com/lists/oss-security/2023/07/19/5 	
http://www.openwall.com/lists/oss-security/2023/07/19/6 	
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb 	
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528 	
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c 	
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23 	
https://www.openssl.org/news/secadv/20230719.txt
Comment 1 Sandipan Roy 2023-07-25 04:05:00 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2225349]