AZL-39946

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39946.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-39946

Upstream

CVE-2023-6237

Published

2024-04-25T07:15:45Z

Modified

2026-04-01T05:13:30.556626Z

Summary

CVE-2023-6237 affecting package openssl for versions less than 3.3.0-1

Details

Issue summary: Checking excessively long invalid RSA public keys may take a long time.

Impact summary: Applications that use the function EVPPKEYpublic_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service.

When function EVPPKEYpublic_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time.

An application that calls EVPPKEYpublic_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function EVPPKEYpublic_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the '-pubin' and '-check' options on untrusted data.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-6237

Affected packages

Azure Linux:3 / openssl

Package

Name: openssl
Purl: pkg:rpm/azure-linux/openssl

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.0-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39946.json"