CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
Percentile
77.2%
Issue summary: Checking excessively long DH keys or parameters may be very
slow. Impact summary: Applications that use the functions DH_check(),
DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters
may experience long delays. Where the key or parameters that are being
checked have been obtained from an untrusted source this may lead to a
Denial of Service. The function DH_check() performs various checks on DH
parameters. After fixing CVE-2023-3446 it was discovered that a large q
parameter value can also trigger an overly long computation during some of
these checks. A correct q value, if present, cannot be larger than the
modulus p parameter, thus it is unnecessary to perform these checks if q is
larger than p. An application that calls DH_check() and supplies a key or
parameters obtained from an untrusted source could be vulnerable to a
Denial of Service attack. The function DH_check() is itself called by a
number of other OpenSSL functions. An application calling any of those
other functions may similarly be affected. The other functions affected by
this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the
OpenSSL dhparam and pkeyparam command line applications when using the
“-check” option. The OpenSSL SSL/TLS implementation is not affected by this
issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this
issue.
Author | Note |
---|---|
Priority reason: Upstream rates this as having low severity |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | nodejs | < any | UNKNOWN |
ubuntu | 22.04 | noarch | nodejs | < any | UNKNOWN |
ubuntu | 16.04 | noarch | nodejs | < any | UNKNOWN |
ubuntu | 18.04 | noarch | openssl | < 1.1.1-1ubuntu2.1~18.04.23+esm3 | UNKNOWN |
ubuntu | 20.04 | noarch | openssl | < 1.1.1f-1ubuntu2.20 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2023-3817
nvd.nist.gov/vuln/detail/CVE-2023-3817
security-tracker.debian.org/tracker/CVE-2023-3817
ubuntu.com/security/notices/USN-6435-1
ubuntu.com/security/notices/USN-6435-2
ubuntu.com/security/notices/USN-6450-1
ubuntu.com/security/notices/USN-6709-1
www.cve.org/CVERecord?id=CVE-2023-3817
www.openssl.org/news/secadv/20230731.txt