Excessive time spent checking DH q parameter value
Description
Issue summary: Checking excessively long DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.
The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.
An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.
The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
78(expand)+ 1 more
- (no CPE)
- (no CPE)range: 3.1.0
- osv-coords76 versionspkg:apk/chainguard/libcrypto3pkg:apk/chainguard/libssl3pkg:apk/chainguard/opensslpkg:apk/chainguard/openssl-configpkg:apk/chainguard/openssl-dbgpkg:apk/chainguard/openssl-devpkg:apk/chainguard/openssl-docpkg:apk/chainguard/openssl-engine-afalgpkg:apk/chainguard/openssl-engine-capipkg:apk/chainguard/openssl-engine-loader-atticpkg:apk/chainguard/openssl-engine-padlockpkg:apk/chainguard/openssl-provider-fipspkg:apk/chainguard/openssl-provider-fips-3.1.2pkg:apk/chainguard/openssl-provider-fips-3.1.2-dbgpkg:apk/chainguard/openssl-provider-legacypkg:apk/wolfi/libcrypto3pkg:apk/wolfi/libssl3pkg:apk/wolfi/opensslpkg:apk/wolfi/openssl-configpkg:apk/wolfi/openssl-dbgpkg:apk/wolfi/openssl-devpkg:apk/wolfi/openssl-docpkg:apk/wolfi/openssl-engine-afalgpkg:apk/wolfi/openssl-engine-capipkg:apk/wolfi/openssl-engine-loader-atticpkg:apk/wolfi/openssl-engine-padlockpkg:apk/wolfi/openssl-provider-legacypkg:rpm/almalinux/opensslpkg:rpm/almalinux/openssl-develpkg:rpm/almalinux/openssl-libspkg:rpm/almalinux/openssl-perlpkg:rpm/opensuse/openssl-1_0_0&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/openssl-1_0_0&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/openssl-1_0_0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/openssl-3&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/openssl-3&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/openssl-3&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/openssl-3&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/opensuse/openssl-3&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP4pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP5pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/openssl-1_1&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/openssl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL
< 3.1.1-r4+ 75 more
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 3.1.1-r4
- (no CPE)range: < 1:1.1.1k-12.el8_9
- (no CPE)range: < 1:1.1.1k-12.el8_9
- (no CPE)range: < 1:1.1.1k-12.el8_9
- (no CPE)range: < 1:1.1.1k-12.el8_9
- (no CPE)range: < 1.0.2p-150000.3.85.1
- (no CPE)range: < 1.0.2p-150000.3.85.1
- (no CPE)range: < 1.0.2u-22.1
- (no CPE)range: < 1.1.1l-150400.7.53.1
- (no CPE)range: < 1.1.1l-150500.17.15.1
- (no CPE)range: < 1.1.1l-150400.7.53.1
- (no CPE)range: < 1.1.1l-150400.7.53.1
- (no CPE)range: < 1.1.1v-1.1
- (no CPE)range: < 3.0.8-150400.4.34.1
- (no CPE)range: < 3.0.8-150500.5.11.1
- (no CPE)range: < 3.0.8-150400.4.34.1
- (no CPE)range: < 3.0.8-150400.4.34.1
- (no CPE)range: < 3.1.2-1.1
- (no CPE)range: < 1.0.2p-150000.3.85.1
- (no CPE)range: < 1.0.2p-150000.3.85.1
- (no CPE)range: < 1.0.2p-3.84.1
- (no CPE)range: < 1.0.2p-3.84.1
- (no CPE)range: < 1.0.2p-3.84.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.0i-150100.14.65.6
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1l-150400.7.53.1
- (no CPE)range: < 1.1.1l-150400.7.53.1
- (no CPE)range: < 1.1.1l-150400.7.53.1
- (no CPE)range: < 1.1.1l-150500.17.15.1
- (no CPE)range: < 1.1.1d-2.98.1
- (no CPE)range: < 1.1.0i-150100.14.65.6
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-2.98.1
- (no CPE)range: < 1.1.0i-150100.14.65.6
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-2.98.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 1.1.1d-150200.11.75.1
- (no CPE)range: < 3.0.8-150400.4.34.1
- (no CPE)range: < 3.0.8-150400.4.34.1
- (no CPE)range: < 3.0.8-150400.4.34.1
- (no CPE)range: < 3.0.8-150500.5.11.1
- (no CPE)range: < 1.0.2j-60.104.1
Patches
Vulnerability mechanics
References
5- git.openssl.org/gitweb/mitrepatch
- git.openssl.org/gitweb/mitrepatch
- git.openssl.org/gitweb/mitrepatch
- git.openssl.org/gitweb/mitrepatch
- www.openssl.org/news/secadv/20230731.txtmitrevendor-advisory
News mentions
0No linked articles in our index yet.