Bug 2294868 (CVE-2024-34703)
| Summary: | CVE-2024-34703 botan: Denial of Service Due to Overly Large Elliptic Curve Parameters | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | botan 3.3.0, botan 2.19.4 | Doc Type: | --- |
| Doc Text: |
A flaw was found in Botan. X.509 certificates can identify elliptic curves using either an object identifier or explicit encoding of the parameters. This flaw allows an attacker to present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The POC used a 16Kbit prime for this purpose. When parsing the parameter is checked to be prime, it causes excessive computation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2294869, 2294870, 2295888, 2295889 | ||
| Bug Blocks: | |||
|
Description
Mauro Matteo Cascella
2024-07-01 06:13:02 UTC
Created botan2 tracking bugs for this issue: Affects: epel-all [bug 2294869] Affects: fedora-all [bug 2294870] |