CVE-2023-6237

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-6237

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-6237.json

Related

USN-6622-1

Published

2024-04-25T07:15:45Z

Modified

2024-05-01T19:09:56.882751Z

Details

Issue summary: Checking excessively long invalid RSA public keys may take a long time.

Impact summary: Applications that use the function EVPPKEYpublic_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service.

When function EVPPKEYpublic_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time.

An application that calls EVPPKEYpublic_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function EVPPKEYpublic_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the '-pubin' and '-check' options on untrusted data.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

References

Affected packages

Alpine:v3.17 / openssl

Package

Name: openssl

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.0.12-r3

Alpine:v3.18 / openssl

Package

Name: openssl

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.1.4-r4

Alpine:v3.19 / openssl

Package

Name: openssl

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.1.4-r4

Git / github.com/openssl/openssl

Affected ranges

Type: GIT
Repo: https://github.com/openssl/openssl
Events: Introduced

0The exact introduced commit is unknown

Fixed

0b0f7abfb37350794a4b8960fafc292cd5d1b84d

Fixed

18c02492138d1eb8b6548cb26e7b625fb2414a2a

Fixed

a830f551557d3d66a84bbb18a5b889c640c36294

Affected versions

Other

BEFORE_engine

OpenSSL_0_9_1c

OpenSSL_0_9_2b

OpenSSL_0_9_3

OpenSSL_0_9_3a

OpenSSL_0_9_3beta2

OpenSSL_0_9_4

OpenSSL_0_9_5a

OpenSSL_0_9_5a-beta1

OpenSSL_0_9_5a-beta2

OpenSSL_0_9_5beta1

OpenSSL_0_9_5beta2

OpenSSL_0_9_6-beta3

OpenSSL_1_1_0-pre1

OpenSSL_1_1_0-pre2

OpenSSL_1_1_0-pre3

OpenSSL_1_1_0-pre4

OpenSSL_1_1_0-pre5

OpenSSL_1_1_0-pre6

OpenSSL_1_1_1

OpenSSL_1_1_1-pre1

OpenSSL_1_1_1-pre2

OpenSSL_1_1_1-pre3

OpenSSL_1_1_1-pre4

OpenSSL_1_1_1-pre5

OpenSSL_1_1_1-pre6

OpenSSL_1_1_1-pre7

OpenSSL_1_1_1-pre8

OpenSSL_1_1_1-pre9

master-post-auto-reformat

master-post-reformat

master-pre-auto-reformat

master-pre-reformat

openssl-3.*

openssl-3.0.0

openssl-3.0.0-alpha1

openssl-3.0.0-alpha10

openssl-3.0.0-alpha11

openssl-3.0.0-alpha12

openssl-3.0.0-alpha13

openssl-3.0.0-alpha14

openssl-3.0.0-alpha15

openssl-3.0.0-alpha16

openssl-3.0.0-alpha17

openssl-3.0.0-alpha2

openssl-3.0.0-alpha3

openssl-3.0.0-alpha4

openssl-3.0.0-alpha5

openssl-3.0.0-alpha6

openssl-3.0.0-alpha7

openssl-3.0.0-alpha8

openssl-3.0.0-alpha9

openssl-3.0.0-beta1

openssl-3.0.0-beta2

openssl-3.0.1

openssl-3.0.10

openssl-3.0.11

openssl-3.0.12

openssl-3.0.2

openssl-3.0.3

openssl-3.0.4

openssl-3.0.5

openssl-3.0.6

openssl-3.0.7

openssl-3.0.8

openssl-3.0.9

openssl-3.1.0

openssl-3.1.0-alpha1

openssl-3.1.0-beta1

openssl-3.1.1

openssl-3.1.2

openssl-3.1.3

openssl-3.1.4

openssl-3.2.0

openssl-3.2.0-alpha1

openssl-3.2.0-alpha2

openssl-3.2.0-beta1