CVE Vulnerabilities

CVE-2023-3817

Excessive Iteration

Published: Jul 31, 2023 | Modified: Oct 14, 2024
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
LOW

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the -check option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Weakness

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

Affected Software

Name Vendor Start Version End Version
Openssl Openssl 3.0.0 (including) 3.0.10 (excluding)
Openssl Openssl 3.1.0 (including) 3.1.2 (excluding)
Openssl Openssl 1.0.2 (including) 1.0.2 (including)
Openssl Openssl 1.0.2-beta1 (including) 1.0.2-beta1 (including)
Openssl Openssl 1.0.2-beta2 (including) 1.0.2-beta2 (including)
Openssl Openssl 1.0.2-beta3 (including) 1.0.2-beta3 (including)
Openssl Openssl 1.0.2a (including) 1.0.2a (including)
Openssl Openssl 1.0.2b (including) 1.0.2b (including)
Openssl Openssl 1.0.2c (including) 1.0.2c (including)
Openssl Openssl 1.0.2d (including) 1.0.2d (including)
Openssl Openssl 1.0.2e (including) 1.0.2e (including)
Openssl Openssl 1.0.2f (including) 1.0.2f (including)
Openssl Openssl 1.0.2g (including) 1.0.2g (including)
Openssl Openssl 1.0.2h (including) 1.0.2h (including)
Openssl Openssl 1.0.2i (including) 1.0.2i (including)
Openssl Openssl 1.0.2j (including) 1.0.2j (including)
Openssl Openssl 1.0.2k (including) 1.0.2k (including)
Openssl Openssl 1.0.2l (including) 1.0.2l (including)
Openssl Openssl 1.0.2m (including) 1.0.2m (including)
Openssl Openssl 1.0.2n (including) 1.0.2n (including)
Openssl Openssl 1.0.2o (including) 1.0.2o (including)
Openssl Openssl 1.0.2p (including) 1.0.2p (including)
Openssl Openssl 1.0.2q (including) 1.0.2q (including)
Openssl Openssl 1.0.2r (including) 1.0.2r (including)
Openssl Openssl 1.0.2s (including) 1.0.2s (including)
Openssl Openssl 1.0.2t (including) 1.0.2t (including)
Openssl Openssl 1.0.2u (including) 1.0.2u (including)
Openssl Openssl 1.0.2v (including) 1.0.2v (including)
Openssl Openssl 1.0.2w (including) 1.0.2w (including)
Openssl Openssl 1.0.2x (including) 1.0.2x (including)
Openssl Openssl 1.0.2y (including) 1.0.2y (including)
Openssl Openssl 1.0.2za (including) 1.0.2za (including)
Openssl Openssl 1.0.2zb (including) 1.0.2zb (including)
Openssl Openssl 1.0.2zc (including) 1.0.2zc (including)
Openssl Openssl 1.0.2zd (including) 1.0.2zd (including)
Openssl Openssl 1.0.2ze (including) 1.0.2ze (including)
Openssl Openssl 1.0.2zf (including) 1.0.2zf (including)
Openssl Openssl 1.0.2zg (including) 1.0.2zg (including)
Openssl Openssl 1.0.2zh (including) 1.0.2zh (including)
Openssl Openssl 1.1.1 (including) 1.1.1 (including)
Openssl Openssl 1.1.1-pre1 (including) 1.1.1-pre1 (including)
Openssl Openssl 1.1.1-pre2 (including) 1.1.1-pre2 (including)
Openssl Openssl 1.1.1-pre3 (including) 1.1.1-pre3 (including)
Openssl Openssl 1.1.1-pre4 (including) 1.1.1-pre4 (including)
Openssl Openssl 1.1.1-pre5 (including) 1.1.1-pre5 (including)
Openssl Openssl 1.1.1-pre6 (including) 1.1.1-pre6 (including)
Openssl Openssl 1.1.1-pre7 (including) 1.1.1-pre7 (including)
Openssl Openssl 1.1.1-pre8 (including) 1.1.1-pre8 (including)
Openssl Openssl 1.1.1-pre9 (including) 1.1.1-pre9 (including)
Openssl Openssl 1.1.1a (including) 1.1.1a (including)
Openssl Openssl 1.1.1b (including) 1.1.1b (including)
Openssl Openssl 1.1.1c (including) 1.1.1c (including)
Openssl Openssl 1.1.1d (including) 1.1.1d (including)
Openssl Openssl 1.1.1e (including) 1.1.1e (including)
Openssl Openssl 1.1.1f (including) 1.1.1f (including)
Openssl Openssl 1.1.1g (including) 1.1.1g (including)
Openssl Openssl 1.1.1h (including) 1.1.1h (including)
Openssl Openssl 1.1.1i (including) 1.1.1i (including)
Openssl Openssl 1.1.1j (including) 1.1.1j (including)
Openssl Openssl 1.1.1k (including) 1.1.1k (including)
Openssl Openssl 1.1.1l (including) 1.1.1l (including)
Openssl Openssl 1.1.1m (including) 1.1.1m (including)
Openssl Openssl 1.1.1n (including) 1.1.1n (including)
Openssl Openssl 1.1.1o (including) 1.1.1o (including)
Openssl Openssl 1.1.1p (including) 1.1.1p (including)
Openssl Openssl 1.1.1q (including) 1.1.1q (including)
Openssl Openssl 1.1.1r (including) 1.1.1r (including)
Openssl Openssl 1.1.1s (including) 1.1.1s (including)
Openssl Openssl 1.1.1t (including) 1.1.1t (including)
Openssl Openssl 1.1.1u (including) 1.1.1u (including)
Edk2 Ubuntu bionic *
Edk2 Ubuntu devel *
Edk2 Ubuntu focal *
Edk2 Ubuntu jammy *
Edk2 Ubuntu lunar *
Edk2 Ubuntu mantic *
Edk2 Ubuntu noble *
Edk2 Ubuntu oracular *
Edk2 Ubuntu trusty *
Edk2 Ubuntu xenial *
Nodejs Ubuntu jammy *
Nodejs Ubuntu trusty *
Openssl Ubuntu bionic *
Openssl Ubuntu esm-infra/bionic *
Openssl Ubuntu esm-infra/xenial *
Openssl Ubuntu fips-preview/jammy *
Openssl Ubuntu fips-updates/bionic *
Openssl Ubuntu fips-updates/focal *
Openssl Ubuntu fips-updates/jammy *
Openssl Ubuntu fips-updates/xenial *
Openssl Ubuntu fips/bionic *
Openssl Ubuntu fips/focal *
Openssl Ubuntu fips/xenial *
Openssl Ubuntu focal *
Openssl Ubuntu jammy *
Openssl Ubuntu lunar *
Openssl Ubuntu trusty *
Openssl Ubuntu upstream *
Openssl Ubuntu xenial *
Openssl1.0 Ubuntu bionic *
Openssl1.0 Ubuntu esm-infra/bionic *
Openssl1.0 Ubuntu upstream *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-1:1.1.1k-16.el8jbcs *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-openssl-1:1.1.1k-16.el7jbcs *
Red Hat Enterprise Linux 8 RedHat openssl-1:1.1.1k-12.el8_9 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat openssl-1:1.1.1k-12.el8_6 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat openssl-1:1.1.1k-12.el8_8 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.7-27.el9 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.7-27.el9 *
Red Hat JBoss Core Services 1 RedHat jbcs-httpd24-openssl *
Red Hat JBoss Web Server 5 RedHat jbcs-httpd24-openssl *
Red Hat JBoss Web Server 5.7 on RHEL 7 RedHat jws5-tomcat-native-0:1.2.31-16.redhat_16.el7jws *
Red Hat JBoss Web Server 5.7 on RHEL 8 RedHat jws5-tomcat-native-0:1.2.31-16.redhat_16.el8jws *
Red Hat JBoss Web Server 5.7 on RHEL 9 RedHat jws5-tomcat-native-0:1.2.31-16.redhat_16.el9jws *
Red Hat Satellite 6.13 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Red Hat Satellite 6.13 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *

References