CVE Details

Release Date:2023-07-31


Issue summary: Checking excessively long DH keys or parameters may be very slow.\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \-check\ option.\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

See more information about CVE-2023-3817 from MITRE CVE dictionary and NIST NVD

CVSS v3.0 metrics

NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.

Base Score: 5.3 Base Metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Access Vector: Network Attack Complexity: Low
Privileges Required: None User Interaction: None
Scope: Unchanged Confidentiality Impact: None
Integrity Impact: None Availability Impact: Low

Errata information

PlatformErrataRelease Date
Oracle Linux version 8 (openssl)ELSA-2023-78772023-12-18
Oracle Linux version 8 (openssl)ELSA-2024-120562024-01-10
Oracle Linux version 9 (openssl)ELSA-2024-24472024-05-03
Oracle Linux version 9 (openssl-fips-provider)ELSA-2024-24472024-05-03

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team