UBUNTU-CVE-2024-4603

Source
https://ubuntu.com/security/CVE-2024-4603
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-4603.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-4603
Related
Published
2024-05-16T16:15:00Z
Modified
2024-11-20T12:20:57Z
Summary
[none]
Details

Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVPPKEYparamcheck() or EVPPKEYpubliccheck() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVPPKEYparamcheck() or EVPPKEYpubliccheck() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (p parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVPPKEYparamcheck() or EVPPKEYpubliccheck() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the -check option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

References

Affected packages

Ubuntu:Pro:16.04:LTS / nodejs

Package

Name
nodejs
Purl
pkg:deb/ubuntu/nodejs?arch=src?distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.25~dfsg2-2ubuntu1

4.*

4.2.2~dfsg-1
4.2.3~dfsg-1
4.2.4~dfsg-1ubuntu1
4.2.4~dfsg-2
4.2.6~dfsg-1ubuntu1
4.2.6~dfsg-1ubuntu4
4.2.6~dfsg-1ubuntu4.1
4.2.6~dfsg-1ubuntu4.2
4.2.6~dfsg-1ubuntu4.2+esm1
4.2.6~dfsg-1ubuntu4.2+esm2
4.2.6~dfsg-1ubuntu4.2+esm3

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:Pro:18.04:LTS / nodejs

Package

Name
nodejs
Purl
pkg:deb/ubuntu/nodejs?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.11.4~dfsg-1ubuntu1
6.11.4~dfsg-1ubuntu2
6.12.0~dfsg-1ubuntu1
6.12.0~dfsg-2ubuntu1
6.12.0~dfsg-2ubuntu2

8.*

8.10.0~dfsg-2
8.10.0~dfsg-2ubuntu0.2
8.10.0~dfsg-2ubuntu0.3
8.10.0~dfsg-2ubuntu0.4
8.10.0~dfsg-2ubuntu0.4+esm1
8.10.0~dfsg-2ubuntu0.4+esm2
8.10.0~dfsg-2ubuntu0.4+esm3
8.10.0~dfsg-2ubuntu0.4+esm4
8.10.0~dfsg-2ubuntu0.4+esm5

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:22.04:LTS / nodejs

Package

Name
nodejs
Purl
pkg:deb/ubuntu/nodejs?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

12.*

12.22.5~dfsg-5ubuntu1
12.22.7~dfsg-2ubuntu1
12.22.7~dfsg-2ubuntu3
12.22.9~dfsg-1ubuntu2
12.22.9~dfsg-1ubuntu3
12.22.9~dfsg-1ubuntu3.1
12.22.9~dfsg-1ubuntu3.2
12.22.9~dfsg-1ubuntu3.3
12.22.9~dfsg-1ubuntu3.4
12.22.9~dfsg-1ubuntu3.5
12.22.9~dfsg-1ubuntu3.6

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:22.04:LTS / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.2-0ubuntu1.17

Affected versions

1.*

1.1.1l-1ubuntu1

3.*

3.0.0-1ubuntu1
3.0.1-0ubuntu1
3.0.2-0ubuntu1
3.0.2-0ubuntu1.1
3.0.2-0ubuntu1.2
3.0.2-0ubuntu1.4
3.0.2-0ubuntu1.5
3.0.2-0ubuntu1.6
3.0.2-0ubuntu1.7
3.0.2-0ubuntu1.8
3.0.2-0ubuntu1.9
3.0.2-0ubuntu1.10
3.0.2-0ubuntu1.12
3.0.2-0ubuntu1.13
3.0.2-0ubuntu1.14
3.0.2-0ubuntu1.15
3.0.2-0ubuntu1.16

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "3.0.2-0ubuntu1.17",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17",
            "binary_name": "libssl3"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17",
            "binary_name": "libssl3-dbgsym"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:Pro:FIPS-preview:22.04:LTS / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=fips-preview/jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.2-0ubuntu1.10+Fips1
3.0.2-0ubuntu1.12+Fips1

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:Pro:FIPS-updates:22.04:LTS / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=fips-updates/jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.2-0ubuntu1.17+Fips1

Affected versions

3.*

3.0.2-0ubuntu1.10+Fips1
3.0.2-0ubuntu1.12+Fips1
3.0.2-0ubuntu1.14+Fips1
3.0.2-0ubuntu1.15+Fips1
3.0.2-0ubuntu1.16+Fips1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "3.0.2-0ubuntu1.17+Fips1",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17+Fips1",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17+Fips1",
            "binary_name": "libssl3"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17+Fips1",
            "binary_name": "libssl3-dbgsym"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17+Fips1",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.17+Fips1",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:24.10 / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2024.*

2024.02-2
2024.05-1
2024.05-1ubuntu2
2024.05-2
2024.05-2ubuntu0.1

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:24.10 / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2-1ubuntu1

Affected versions

3.*

3.0.13-0ubuntu3
3.0.13-0ubuntu4
3.2.1-3ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "3.2.2-1ubuntu1",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.2.2-1ubuntu1",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.2.2-1ubuntu1",
            "binary_name": "libssl3t64"
        },
        {
            "binary_version": "3.2.2-1ubuntu1",
            "binary_name": "libssl3t64-dbgsym"
        },
        {
            "binary_version": "3.2.2-1ubuntu1",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.2.2-1ubuntu1",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:24.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2023.*

2023.05-2
2023.11-2
2023.11-3
2023.11-4
2023.11-5
2023.11-6
2023.11-8

2024.*

2024.02-1
2024.02-2

Ecosystem specific

{
    "ubuntu_priority": "low",
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}

Ubuntu:24.04:LTS / openssl

Package

Name
openssl
Purl
pkg:deb/ubuntu/openssl?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.13-0ubuntu3.2

Affected versions

3.*

3.0.10-1ubuntu2
3.0.10-1ubuntu2.1
3.0.10-1ubuntu3
3.0.10-1ubuntu4
3.0.13-0ubuntu2
3.0.13-0ubuntu3
3.0.13-0ubuntu3.1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "3.0.13-0ubuntu3.2",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.0.13-0ubuntu3.2",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.0.13-0ubuntu3.2",
            "binary_name": "libssl3t64"
        },
        {
            "binary_version": "3.0.13-0ubuntu3.2",
            "binary_name": "libssl3t64-dbgsym"
        },
        {
            "binary_version": "3.0.13-0ubuntu3.2",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.0.13-0ubuntu3.2",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "priority_reason": "Upstream OpenSSL project has rated this a being a low severity issue"
}