Bug 2224962 (CVE-2023-3446) - CVE-2023-3446 openssl: Excessive time spent checking DH keys and parameters
Summary: CVE-2023-3446 openssl: Excessive time spent checking DH keys and parameters
Keywords:
Status: NEW
Alias: CVE-2023-3446
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2225349 2225350 2225351 2225352 2225353 2225414 2225415 2225416 2225417
Blocks: 2223014
TreeView+ depends on / blocked
 
Reported: 2023-07-24 05:15 UTC by TEJ RATHI
Modified: 2024-04-30 10:52 UTC (History)
60 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenSSL. This security flaw occurs because the applications that use the DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source may lead to a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7622 0 None None None 2023-12-07 12:18:16 UTC
Red Hat Product Errata RHSA-2023:7623 0 None None None 2023-12-07 12:37:25 UTC
Red Hat Product Errata RHSA-2023:7625 0 None None None 2023-12-07 13:49:23 UTC
Red Hat Product Errata RHSA-2023:7626 0 None None None 2023-12-07 13:55:38 UTC
Red Hat Product Errata RHSA-2023:7877 0 None None None 2023-12-18 07:37:43 UTC
Red Hat Product Errata RHSA-2024:0154 0 None None None 2024-01-10 16:32:10 UTC
Red Hat Product Errata RHSA-2024:0208 0 None None None 2024-01-11 21:15:07 UTC
Red Hat Product Errata RHSA-2024:0408 0 None None None 2024-01-24 16:41:50 UTC
Red Hat Product Errata RHSA-2024:0888 0 None None None 2024-02-20 12:30:18 UTC
Red Hat Product Errata RHSA-2024:1415 0 None None None 2024-03-19 17:30:33 UTC
Red Hat Product Errata RHSA-2024:2264 0 None None None 2024-04-30 09:57:40 UTC
Red Hat Product Errata RHSA-2024:2447 0 None None None 2024-04-30 10:52:14 UTC

Description TEJ RATHI 2023-07-24 05:15:39 UTC
Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

http://www.openwall.com/lists/oss-security/2023/07/19/4 	
http://www.openwall.com/lists/oss-security/2023/07/19/5 	
http://www.openwall.com/lists/oss-security/2023/07/19/6 	
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb 	
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528 	
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c 	
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23 	
https://www.openssl.org/news/secadv/20230719.txt

Comment 1 Sandipan Roy 2023-07-25 04:05:00 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2225349]

Comment 7 errata-xmlrpc 2023-12-07 12:18:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622

Comment 8 errata-xmlrpc 2023-12-07 12:37:19 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623

Comment 9 errata-xmlrpc 2023-12-07 13:49:19 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625

Comment 10 errata-xmlrpc 2023-12-07 13:55:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626

Comment 11 errata-xmlrpc 2023-12-18 07:37:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7877 https://access.redhat.com/errata/RHSA-2023:7877

Comment 12 errata-xmlrpc 2024-01-10 16:32:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0154 https://access.redhat.com/errata/RHSA-2024:0154

Comment 13 errata-xmlrpc 2024-01-11 21:15:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0208 https://access.redhat.com/errata/RHSA-2024:0208

Comment 14 errata-xmlrpc 2024-01-24 16:41:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0408 https://access.redhat.com/errata/RHSA-2024:0408

Comment 16 errata-xmlrpc 2024-02-20 12:30:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0888 https://access.redhat.com/errata/RHSA-2024:0888

Comment 20 errata-xmlrpc 2024-03-19 17:30:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1415 https://access.redhat.com/errata/RHSA-2024:1415

Comment 21 errata-xmlrpc 2024-04-30 09:57:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2264 https://access.redhat.com/errata/RHSA-2024:2264

Comment 22 errata-xmlrpc 2024-04-30 10:52:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2447 https://access.redhat.com/errata/RHSA-2024:2447


Note You need to log in before you can comment on or make changes to this bug.