CVE-2023-3817

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
References
Link Resource
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5 Mailing List Patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644 Broken Link
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f Mailing List Patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5 Mailing List Patch
https://www.openssl.org/news/secadv/20230731.txt Vendor Advisory
http://seclists.org/fulldisclosure/2023/Jul/43
http://www.openwall.com/lists/oss-security/2023/07/31/1
http://www.openwall.com/lists/oss-security/2023/09/22/11
http://www.openwall.com/lists/oss-security/2023/09/22/9
http://www.openwall.com/lists/oss-security/2023/11/06/2
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5 Mailing List Patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644 Broken Link
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f Mailing List Patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5 Mailing List Patch
https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html
https://security.gentoo.org/glsa/202402-08
https://security.netapp.com/advisory/ntap-20230818-0014/
https://security.netapp.com/advisory/ntap-20231027-0008/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.openssl.org/news/secadv/20230731.txt Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2n:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2o:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2p:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2q:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2r:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2s:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2t:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2u:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2v:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2w:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2x:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2y:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2za:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zb:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zc:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zd:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2ze:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zf:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zg:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zh:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre7:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre8:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre9:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1m:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1n:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1o:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1p:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1q:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1r:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1s:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1t:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1u:*:*:*:*:*:*:*

History

21 Nov 2024, 08:18

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2023/Jul/43 -
  • () http://www.openwall.com/lists/oss-security/2023/07/31/1 -
  • () http://www.openwall.com/lists/oss-security/2023/09/22/11 -
  • () http://www.openwall.com/lists/oss-security/2023/09/22/9 -
  • () http://www.openwall.com/lists/oss-security/2023/11/06/2 -
  • () https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html -
  • () https://security.gentoo.org/glsa/202402-08 -
  • () https://security.netapp.com/advisory/ntap-20230818-0014/ -
  • () https://security.netapp.com/advisory/ntap-20231027-0008/ -
  • () https://security.netapp.com/advisory/ntap-20240621-0006/ -
References () https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5 - Mailing List, Patch () https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5 - Mailing List, Patch
References () https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644 - Broken Link () https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644 - Broken Link
References () https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f - Mailing List, Patch () https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f - Mailing List, Patch
References () https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5 - Mailing List, Patch () https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5 - Mailing List, Patch
References () https://www.openssl.org/news/secadv/20230731.txt - Vendor Advisory () https://www.openssl.org/news/secadv/20230731.txt - Vendor Advisory

14 Oct 2024, 15:15

Type Values Removed Values Added
References
  • {'url': 'http://seclists.org/fulldisclosure/2023/Jul/43', 'tags': ['Mailing List', 'Third Party Advisory'], 'source': 'openssl-security@openssl.org'}
  • {'url': 'http://www.openwall.com/lists/oss-security/2023/07/31/1', 'tags': ['Mailing List'], 'source': 'openssl-security@openssl.org'}
  • {'url': 'http://www.openwall.com/lists/oss-security/2023/09/22/11', 'source': 'openssl-security@openssl.org'}
  • {'url': 'http://www.openwall.com/lists/oss-security/2023/09/22/9', 'source': 'openssl-security@openssl.org'}
  • {'url': 'http://www.openwall.com/lists/oss-security/2023/11/06/2', 'source': 'openssl-security@openssl.org'}
  • {'url': 'https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html', 'source': 'openssl-security@openssl.org'}
  • {'url': 'https://security.gentoo.org/glsa/202402-08', 'source': 'openssl-security@openssl.org'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20230818-0014/', 'source': 'openssl-security@openssl.org'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20231027-0008/', 'source': 'openssl-security@openssl.org'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20240621-0006/', 'source': 'openssl-security@openssl.org'}
CWE CWE-606

21 Jun 2024, 19:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240621-0006/ -

04 Feb 2024, 09:15

Type Values Removed Values Added
References
  • () https://security.gentoo.org/glsa/202402-08 -

06 Nov 2023, 19:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/11/06/2 -

27 Oct 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20231027-0008/ -

23 Sep 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/09/22/11 -

22 Sep 2023, 21:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/09/22/9 -

18 Aug 2023, 14:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20230818-0014/ -

16 Aug 2023, 08:15

Type Values Removed Values Added
References
  • (MISC) https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html -

08 Aug 2023, 19:04

Type Values Removed Values Added
First Time Openssl
Openssl openssl
CWE CWE-834
References (MISC) http://seclists.org/fulldisclosure/2023/Jul/43 - (MISC) http://seclists.org/fulldisclosure/2023/Jul/43 - Mailing List, Third Party Advisory
References (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644 - (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644 - Broken Link
References (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f - (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f - Mailing List, Patch
References (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5 - (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5 - Mailing List, Patch
References (MISC) https://www.openssl.org/news/secadv/20230731.txt - (MISC) https://www.openssl.org/news/secadv/20230731.txt - Vendor Advisory
References (MISC) http://www.openwall.com/lists/oss-security/2023/07/31/1 - (MISC) http://www.openwall.com/lists/oss-security/2023/07/31/1 - Mailing List
References (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5 - (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5 - Mailing List, Patch
CPE cpe:2.3:a:openssl:openssl:1.0.2u:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zf:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2s:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1t:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1r:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zb:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2ze:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2n:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2t:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2r:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre8:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zh:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2w:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2v:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2o:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre7:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2q:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2p:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1o:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1u:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1n:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1p:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2y:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zc:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zd:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1q:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1s:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre9:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1m:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2x:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2zg:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2za:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3

01 Aug 2023, 11:15

Type Values Removed Values Added
References
  • (MISC) http://seclists.org/fulldisclosure/2023/Jul/43 -

31 Jul 2023, 18:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/07/31/1 -

31 Jul 2023, 17:30

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-31 16:15

Updated : 2024-11-21 08:18


NVD link : CVE-2023-3817

Mitre link : CVE-2023-3817

CVE.ORG link : CVE-2023-3817


JSON object : View

Products Affected

openssl

  • openssl
CWE
CWE-606

Unchecked Input for Loop Condition

CWE-834

Excessive Iteration