Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-3817
HistoryJul 31, 2023 - 12:00 a.m.

CVE-2023-3817

2023-07-3100:00:00
ubuntu.com
ubuntu.com
19
dh keys
denial of service
openssl

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.005

Percentile

77.2%

Issue summary: Checking excessively long DH keys or parameters may be very
slow. Impact summary: Applications that use the functions DH_check(),
DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters
may experience long delays. Where the key or parameters that are being
checked have been obtained from an untrusted source this may lead to a
Denial of Service. The function DH_check() performs various checks on DH
parameters. After fixing CVE-2023-3446 it was discovered that a large q
parameter value can also trigger an overly long computation during some of
these checks. A correct q value, if present, cannot be larger than the
modulus p parameter, thus it is unnecessary to perform these checks if q is
larger than p. An application that calls DH_check() and supplies a key or
parameters obtained from an untrusted source could be vulnerable to a
Denial of Service attack. The function DH_check() is itself called by a
number of other OpenSSL functions. An application calling any of those
other functions may similarly be affected. The other functions affected by
this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the
OpenSSL dhparam and pkeyparam command line applications when using the
“-check” option. The OpenSSL SSL/TLS implementation is not affected by this
issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this
issue.

Notes

Author Note
Priority reason: Upstream rates this as having low severity

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.005

Percentile

77.2%