Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to this issue. OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue. References: https://www.openssl.org/news/secadv/20240115.txt https://www.openwall.com/lists/oss-security/2024/01/15/2 Upstream fix: https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a (3.0.13) https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294 (3.1.5) https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d (3.2.1)
Created edk2 tracking bugs for this issue: Affects: fedora-all [bug 2258506] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 2258507] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 2258508] Created openssl3 tracking bugs for this issue: Affects: epel-all [bug 2258505]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2447 https://access.redhat.com/errata/RHSA-2024:2447