medium
5.9
CWE
606
Advisory Published
CVE Published
Updated

CVE-2023-6237: Excessive time spent checking invalid RSA public keys

First published: Mon Jan 15 2024(Updated: )

Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to this issue. OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue. References: <a href="https://www.openssl.org/news/secadv/20240115.txt">https://www.openssl.org/news/secadv/20240115.txt</a> <a href="https://www.openwall.com/lists/oss-security/2024/01/15/2">https://www.openwall.com/lists/oss-security/2024/01/15/2</a> Upstream fix: <a href="https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a">https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a</a> (3.0.13) <a href="https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294">https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294</a> (3.1.5) <a href="https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d">https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d</a> (3.2.1)

Credit: openssl-security@openssl.org openssl-security@openssl.org

Affected SoftwareAffected VersionHow to fix
IBM Cognos Analytics<=12.0.0-12.0.3
IBM Cognos Analytics<=11.2.0-11.2.4 FP4
redhat/openssl<3.0.13
3.0.13
redhat/openssl<3.1.5
3.1.5
redhat/openssl<3.2.1
3.2.1
debian/openssl
1.1.1w-0+deb11u1
1.1.1w-0+deb11u2
3.0.15-1~deb12u1
3.0.14-1~deb12u2
3.4.1-1
3.5.0-1

Remedy

https://git.openssl.org/?p=openssl.git;a=commit;h=18c02492138d1eb8b6548cb26e7b625fb2414a2a

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2023-6237?

    CVE-2023-6237 has a severity level that can lead to Denial of Service (DoS) due to long delays in processing RSA public keys from untrusted sources.

  • How do I fix CVE-2023-6237?

    To fix CVE-2023-6237, update your affected software to the latest patched versions provided by your vendor.

  • Which applications are affected by CVE-2023-6237?

    CVE-2023-6237 affects IBM Cognos Analytics versions 12.0.0-12.0.3 and 11.2.0-11.2.4 FP4, as well as OpenSSL packages up to specific versions.

  • What functions are related to CVE-2023-6237?

    CVE-2023-6237 is related to the EVP_PKEY_public_check() function used for checking RSA public keys.

  • Can untrusted RSA public keys cause problems in CVE-2023-6237?

    Yes, using untrusted RSA public keys with EVP_PKEY_public_check() can lead to significant delays and potential Denial of Service.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203