CVE-2023-6237
- ULN >
- Oracle Linux CVE repository >
- CVE-2023-6237
CVE Details
| Release Date: | 2024-01-15 |
Description
Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.
See more information about CVE-2023-6237 from MITRE CVE dictionary and NIST NVD
CVSS v3.0 metrics
NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.
| Base Score: | 5.9 | Base Metrics: | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Access Vector: | Network | Attack Complexity: | High |
| Privileges Required: | None | User Interaction: | None |
| Scope: | Unchanged | Confidentiality Impact: | None |
| Integrity Impact: | None | Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 9 (openssl) | ELSA-2024-2447 | 2024-05-03 |
| Oracle Linux version 9 (openssl-fips-provider) | ELSA-2024-2447 | 2024-05-03 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
