CVE-2023-3817
- ULN >
- Oracle Linux CVE repository >
- CVE-2023-3817
CVE Details
| Release Date: | 2023-07-31 | |
| Impact: | Low | What is this? |
Description
Issue summary: Checking excessively long DH keys or parameters may be very slow.\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \-check\ option.\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
See more information about CVE-2023-3817 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 5.3 |
| Vector String: | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Version: | 3.0 |
| Attack Vector: | Network |
| Attack Complexity: | Low |
| Privileges Required: | None |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality Impact: | None |
| Integrity Impact: | None |
| Availability Impact: | Low |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 8 (openssl) | ELSA-2023-7877 | 2023-12-18 |
| Oracle Linux version 8 (openssl) | ELSA-2024-12056 | 2024-01-10 |
| Oracle Linux version 9 (openssl) | ELSA-2024-2447 | 2024-05-03 |
| Oracle Linux version 9 (openssl-fips-provider) | ELSA-2024-2447 | 2024-05-03 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
