![]() ![]() The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. The OpenSSL SSL/TLS implementation is not affected by this issue. The function DH_check() is itself called by a number of other OpenSSL functions. An application that calls DH_check() and supplies a key or parameters obtainedįrom an untrusted source could be vulernable to a Denial of Service attack. Some of those checks use the supplied modulus valueĮven if it has already been found to be too large. However the DH_check() function checks numerous aspects of the key or parameters Trying to useĪ very large modulus is slow and OpenSSL will not normally use a modulus which One of thoseĬhecks confirms that the modulus ('p' parameter) is not too large. The function DH_check() performs various checks on DH parameters. Impact summary: Applications that use the functions DH_check(), DH_check_ex()įrom an untrusted source this may lead to a Denial of Service. Fixed in OpenSSL 1.0.2zi (Affected since 1.0.2)ĬVE-2023-3446 Excessive time spent checking DH keys and parameters 13 July 2023: Issue summary: Checking excessively long DH keys or parameters may be very slow.Fixed in OpenSSL 1.1.1v (git commit) (Affected since 1.1.1).Fixed in OpenSSL 3.0.10 (git commit) (Affected since 3.0.0). ![]() Fixed in OpenSSL 3.1.2 (git commit) (Affected since 3.1.0).Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications The other functions affected by this are DH_check_ex() andĮVP_PKEY_param_check(). The function DH_check() is itself called by a number of other OpenSSL functions.Īn application calling any of those other functions may similarly be affected. An application that calls DH_check() and supplies a key or parameters obtainedįrom an untrusted source could be vulnerable to a Denial of Service attack. Unnecessary to perform these checks if q is larger than p. If present, cannot be larger than the modulus p parameter, thus it is After fixingĬVE-2023-3446 it was discovered that a large q parameter value can also triggerĪn overly long computation during some of these checks. Where the key or parameters that are being checked have been obtainedįrom an untrusted source this may lead to a Denial of Service. Or EVP_PKEY_param_check() to check a DH key or DH parameters may experience longĭelays. Impact summary: Applications that use the functions DH_check(), DH_check_ex() Extended support is available for 1.0.2 from OpenSSL Software Services for premium support customers. Note: All OpenSSL versions before 1.1.1 are out of support and no longer receiving updates. If you think you have found a security bug in OpenSSL, please report it to us. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |