CVE-2023-3446: Excessive time spent checking DH keys and parameters
First published: Wed Jul 19 2023(Updated: )
Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. <a href="http://www.openwall.com/lists/oss-security/2023/07/19/4">http://www.openwall.com/lists/oss-security/2023/07/19/4</a> <a href="http://www.openwall.com/lists/oss-security/2023/07/19/5">http://www.openwall.com/lists/oss-security/2023/07/19/5</a> <a href="http://www.openwall.com/lists/oss-security/2023/07/19/6">http://www.openwall.com/lists/oss-security/2023/07/19/6</a> <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb</a> <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528</a> <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c</a> <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23</a> <a href="https://www.openssl.org/news/secadv/20230719.txt">https://www.openssl.org/news/secadv/20230719.txt</a>
Credit: openssl-security@openssl.org openssl-security@openssl.org openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 | |
| debian/openssl | 1.1.1w-0+deb11u1 1.1.1w-0+deb11u2 3.0.15-1~deb12u1 3.0.14-1~deb12u2 3.4.0-2 | |
| OpenSSL libcrypto | =1.0.2 | |
| OpenSSL libcrypto | =1.1.1 | |
| OpenSSL libcrypto | =3.0.0 | |
| OpenSSL libcrypto | =3.1.0 | |
| OpenSSL libcrypto | =3.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528
- https://www.openssl.org/news/secadv/20230719.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb
- http://www.openwall.com/lists/oss-security/2023/07/19/5
- http://www.openwall.com/lists/oss-security/2023/07/19/4
- http://www.openwall.com/lists/oss-security/2023/07/19/6
- http://www.openwall.com/lists/oss-security/2023/07/31/1
- https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html
- https://security.netapp.com/advisory/ntap-20230803-0011/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2225349
- https://access.redhat.com/errata/RHSA-2023:7622
- https://access.redhat.com/errata/RHSA-2023:7623
- https://access.redhat.com/errata/RHSA-2023:7625
- https://access.redhat.com/errata/RHSA-2023:7626
- https://access.redhat.com/errata/RHSA-2023:7877
- https://access.redhat.com/errata/RHSA-2024:0154
- https://access.redhat.com/errata/RHSA-2024:0208
- https://access.redhat.com/errata/RHSA-2024:0408
- https://access.redhat.com/errata/RHSA-2024:0888
- https://access.redhat.com/errata/RHSA-2024:1415
- https://access.redhat.com/errata/RHSA-2024:2264
- https://access.redhat.com/errata/RHSA-2024:2447
- https://bugzilla.redhat.com/show_bug.cgi?id=2224962
- https://security.gentoo.org/glsa/202402-08
- http://www.openwall.com/lists/oss-security/2024/05/16/1
- https://launchpad.net/bugs/cve/CVE-2023-3446
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446
- https://nvd.nist.gov/vuln/detail/CVE-2023-3446
- https://security-tracker.debian.org/tracker/CVE-2023-3446
- https://ubuntu.com/security/CVE-2023-3446
- https://github.com/openssl/openssl/commit/9e0094e2aa1b3428a12d5095132f133c078d3c3d
- https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb
- https://github.com/openssl/openssl/commit/8780a896543a654e757db1b9396383f9d8095528
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
Frequently Asked Questions
What is CVE-2023-3446?
CVE-2023-3446 is a vulnerability that affects OpenSSL versions 1.0.2, 3.0.0, 3.1.0, and 3.1.1.
How does CVE-2023-3446 impact applications?
Applications that use certain functions in OpenSSL to check DH keys or parameters may experience long delays.
What is the severity of CVE-2023-3446?
CVE-2023-3446 has a severity rating of 5.3, which is considered medium.
How can I fix CVE-2023-3446?
To fix CVE-2023-3446, you should update OpenSSL to a patched version.
Where can I find more information about CVE-2023-3446?
You can find more information about CVE-2023-3446 in the references provided: [Reference 1](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23), [Reference 2](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528), [Reference 3](https://www.openssl.org/news/secadv/20230719.txt).
- collector/nvd-latest
- agent/type
- agent/author
- agent/remedy
- agent/severity
- agent/title
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/description
- agent/weakness
- agent/first-publish-date
- agent/event
- agent/references
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3446
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4
- package-manager/debian
- vendor/openssl
- canonical/openssl libcrypto
- version/openssl libcrypto/1.0.2
- version/openssl libcrypto/1.1.1
- version/openssl libcrypto/3.0.0
- version/openssl libcrypto/3.1.0
- version/openssl libcrypto/3.1.1