Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-29409
HistoryAug 02, 2023 - 12:00 a.m.

CVE-2023-29409

2023-08-0200:00:00
ubuntu.com
ubuntu.com
19
rsa keys
certificate chains
cpu time

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

31.3%

Extremely large RSA keys in certificate chains can cause a client/server to
expend significant CPU time verifying signatures. With fix, the size of RSA
keys transmitted during handshakes is restricted to <= 8192 bits. Based on
a survey of publicly trusted RSA keys, there are currently only three
certificates in circulation with keys larger than this, and all three
appear to be test certificates that are not actively deployed. It is
possible there are larger keys in use in private PKIs, but we target the
web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchgolang-1.20< anyUNKNOWN
ubuntu22.04noarchgolang-1.20< anyUNKNOWN

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

31.3%