CVE-2023-0217

2023-02-0700:00:00

ubuntu.com

invalid pointer dereference

dsa public key

openssl

denial of service

cve-2023-0217

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

47.4%

JSON

An invalid pointer dereference on read can be triggered when an application
tries to check a malformed DSA public key by the EVP_PKEY_public_check()
function. This will most likely lead to an application crash. This function
can be called on public keys supplied from untrusted sources which could
allow an attacker to cause a denial of service attack. The TLS
implementation in OpenSSL does not call this function but applications
might call the function if there are additional security requirements
imposed by standards such as FIPS 140-3.

Notes

Author	Note
mdeslaur	3.x only

OSVersionArchitecturePackageVersionFilename
ubuntu22.04noarchopenssl< 3.0.2-0ubuntu1.8UNKNOWN
ubuntu22.10noarchopenssl< 3.0.5-2ubuntu2.1UNKNOWN
ubuntu23.04noarchopenssl< 3.0.8-1ubuntu1UNKNOWN
ubuntu23.10noarchopenssl< 3.0.8-1ubuntu1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	22.04	noarch	openssl	< 3.0.2-0ubuntu1.8	UNKNOWN
ubuntu	22.10	noarch	openssl	< 3.0.5-2ubuntu2.1	UNKNOWN
ubuntu	23.04	noarch	openssl	< 3.0.8-1ubuntu1	UNKNOWN
ubuntu	23.10	noarch	openssl	< 3.0.8-1ubuntu1	UNKNOWN