{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-4603", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "state": "PUBLISHED", "assignerShortName": "openssl", "dateReserved": "2024-05-07T11:44:02.196Z", "datePublished": "2024-05-16T15:21:20.050Z", "dateUpdated": "2024-10-14T14:56:01.784Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSL", "vendor": "OpenSSL", "versions": [{"lessThan": "3.0.14", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "3.1.6", "status": "affected", "version": "3.1.0", "versionType": "semver"}, {"lessThan": "3.2.2", "status": "affected", "version": "3.2.0", "versionType": "semver"}, {"lessThan": "3.3.1", "status": "affected", "version": "3.3.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "OSS-Fuzz"}, {"lang": "en", "type": "remediation developer", "user": "00000000-0000-4000-9000-000000000000", "value": "Tomas Mraz"}], "datePublic": "2024-05-16T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Issue summary: Checking excessively long DSA keys or parameters may be very<br>slow.<br><br>Impact summary: Applications that use the functions EVP_PKEY_param_check()<br>or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may<br>experience long delays. Where the key or parameters that are being checked<br>have been obtained from an untrusted source this may lead to a Denial of<br>Service.<br><br>The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform<br>various checks on DSA parameters. Some of those computations take a long time<br>if the modulus (`p` parameter) is too large.<br><br>Trying to use a very large modulus is slow and OpenSSL will not allow using<br>public keys with a modulus which is over 10,000 bits in length for signature<br>verification. However the key and parameter check functions do not limit<br>the modulus size when performing the checks.<br><br>An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()<br>and supplies a key or parameters obtained from an untrusted source could be<br>vulnerable to a Denial of Service attack.<br><br>These functions are not called by OpenSSL itself on untrusted DSA keys so<br>only applications that directly call these functions may be vulnerable.<br><br>Also vulnerable are the OpenSSL pkey and pkeyparam command line applications<br>when using the `-check` option.<br><br>The OpenSSL SSL/TLS implementation is not affected by this issue.<br><br>The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue."}], "value": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue."}], "metrics": [{"format": "other", "other": {"content": {"text": "Low"}, "type": "https://www.openssl.org/policies/secpolicy.html"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-606", "description": "CWE-606 Unchecked Input for Loop Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2024-10-14T14:56:01.784Z"}, "references": [{"name": "OpenSSL Advisory", "tags": ["vendor-advisory"], "url": "https://www.openssl.org/news/secadv/20240516.txt"}, {"name": "3.0.14 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397"}, {"name": "3.1.6 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d"}, {"name": "3.2.2 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740"}, {"name": "3.3.1 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e"}], "source": {"discovery": "UNKNOWN"}, "title": "Excessive time spent checking DSA keys and parameters", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:47:41.528Z"}, "title": "CVE Program Container", "references": [{"name": "OpenSSL Advisory", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.openssl.org/news/secadv/20240516.txt"}, {"name": "3.0.14 git commit", "tags": ["patch", "x_transferred"], "url": "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397"}, {"name": "3.1.6 git commit", "tags": ["patch", "x_transferred"], "url": "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d"}, {"name": "3.2.2 git commit", "tags": ["patch", "x_transferred"], "url": "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740"}, {"name": "3.3.1 git commit", "tags": ["patch", "x_transferred"], "url": "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/16/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0001/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-834", "lang": "en", "description": "CWE-834 Excessive Iteration"}]}], "affected": [{"vendor": "openssl", "product": "openssl", "cpes": ["cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "3.0.0", "status": "affected", "lessThan": "3.0.14", "versionType": "semver"}, {"version": "3.1.0", "status": "affected", "lessThan": "3.1.6", "versionType": "semver"}, {"version": "3.2.0", "status": "affected", "lessThan": "3.2.2", "versionType": "semver"}, {"version": "3.3.0", "status": "affected", "lessThan": "3.3.1", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-16T18:27:25.638098Z", "id": "CVE-2024-4603", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T15:11:57.009Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.openssl.org/news/secadv/20240516.txt", "name": "OpenSSL Advisory", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397", "name": "3.0.14 git commit", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d", "name": "3.1.6 git commit", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740", "name": "3.2.2 git commit", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e", "name": "3.3.1 git commit", "tags": ["patch", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/16/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0001/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:47:41.528Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-4603", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-16T18:27:25.638098Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*"], "vendor": "openssl", "product": "openssl", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.0.14", "versionType": "semver"}, {"status": "affected", "version": "3.1.0", "lessThan": "3.1.6", "versionType": "semver"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.2", "versionType": "semver"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-834", "description": "CWE-834 Excessive Iteration"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-16T18:23:43.403Z"}}], "cna": {"title": "Excessive time spent checking DSA keys and parameters", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "OSS-Fuzz"}, {"lang": "en", "type": "remediation developer", "user": "00000000-0000-4000-9000-000000000000", "value": "Tomas Mraz"}], "metrics": [{"other": {"type": "https://www.openssl.org/policies/secpolicy.html", "content": {"text": "Low"}}, "format": "other"}], "affected": [{"vendor": "OpenSSL", "product": "OpenSSL", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.0.14", "versionType": "semver"}, {"status": "affected", "version": "3.1.0", "lessThan": "3.1.6", "versionType": "semver"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.2", "versionType": "semver"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2024-05-16T00:00:00.000Z", "references": [{"url": "https://www.openssl.org/news/secadv/20240516.txt", "name": "OpenSSL Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397", "name": "3.0.14 git commit", "tags": ["patch"]}, {"url": "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d", "name": "3.1.6 git commit", "tags": ["patch"]}, {"url": "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740", "name": "3.2.2 git commit", "tags": ["patch"]}, {"url": "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e", "name": "3.3.1 git commit", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "supportingMedia": [{"type": "text/html", "value": "Issue summary: Checking excessively long DSA keys or parameters may be very<br>slow.<br><br>Impact summary: Applications that use the functions EVP_PKEY_param_check()<br>or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may<br>experience long delays. Where the key or parameters that are being checked<br>have been obtained from an untrusted source this may lead to a Denial of<br>Service.<br><br>The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform<br>various checks on DSA parameters. Some of those computations take a long time<br>if the modulus (`p` parameter) is too large.<br><br>Trying to use a very large modulus is slow and OpenSSL will not allow using<br>public keys with a modulus which is over 10,000 bits in length for signature<br>verification. However the key and parameter check functions do not limit<br>the modulus size when performing the checks.<br><br>An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()<br>and supplies a key or parameters obtained from an untrusted source could be<br>vulnerable to a Denial of Service attack.<br><br>These functions are not called by OpenSSL itself on untrusted DSA keys so<br>only applications that directly call these functions may be vulnerable.<br><br>Also vulnerable are the OpenSSL pkey and pkeyparam command line applications<br>when using the `-check` option.<br><br>The OpenSSL SSL/TLS implementation is not affected by this issue.<br><br>The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-606", "description": "CWE-606 Unchecked Input for Loop Condition"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2024-10-14T14:56:01.784Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4603", "state": "PUBLISHED", "dateUpdated": "2024-10-14T14:56:01.784Z", "dateReserved": "2024-05-07T11:44:02.196Z", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "datePublished": "2024-05-16T15:21:20.050Z", "assignerShortName": "openssl"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue."}, {"lang": "es", "value": "Resumen del problema: la comprobaci\u00f3n de claves o par\u00e1metros DSA excesivamente largos puede resultar muy lenta. Resumen de impacto: las aplicaciones que utilizan las funciones EVP_PKEY_param_check() o EVP_PKEY_public_check() para comprobar una clave p\u00fablica de DSA o par\u00e1metros de DSA pueden experimentar grandes retrasos. Cuando la clave o los par\u00e1metros que se est\u00e1n verificando se obtuvieron de una fuente que no es confiable, esto puede dar lugar a una Denegaci\u00f3n de Servicio. Las funciones EVP_PKEY_param_check() o EVP_PKEY_public_check() realizan varias comprobaciones de los par\u00e1metros DSA. Algunos de esos c\u00e1lculos toman mucho tiempo si el m\u00f3dulo (par\u00e1metro `p`) es demasiado grande. Intentar utilizar un m\u00f3dulo muy grande es lento y OpenSSL no permitir\u00e1 el uso de claves p\u00fablicas con un m\u00f3dulo de m\u00e1s de 10.000 bits de longitud para la verificaci\u00f3n de firmas. Sin embargo, las funciones de verificaci\u00f3n de claves y par\u00e1metros no limitan el tama\u00f1o del m\u00f3dulo al realizar las verificaciones. Una aplicaci\u00f3n que llama a EVP_PKEY_param_check() o EVP_PKEY_public_check() y proporciona una clave o par\u00e1metros obtenidos de una fuente que no es de confianza podr\u00eda ser vulnerable a un ataque de denegaci\u00f3n de servicio. OpenSSL no llama a estas funciones en claves DSA que no son de confianza, por lo que solo las aplicaciones que llaman directamente a estas funciones pueden ser vulnerables. Tambi\u00e9n son vulnerables las aplicaciones de l\u00ednea de comandos OpenSSL pkey y pkeyparam cuando se usa la opci\u00f3n `-check`. La implementaci\u00f3n de OpenSSL SSL/TLS no se ve afectada por este problema. Los proveedores FIPS OpenSSL 3.0 y 3.1 se ven afectados por este problema."}], "id": "CVE-2024-4603", "lastModified": "2024-10-14T15:15:14.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-16T16:15:10.643", "references": [{"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740"}, {"source": "openssl-security@openssl.org", "url": "https://www.openssl.org/news/secadv/20240516.txt"}], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-606"}], "source": "openssl-security@openssl.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-834"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9333", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "openssl-1:3.2.2-6.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9333", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "openssl-1:3.2.2-6.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "openssl: Excessive time spent checking DSA keys and parameters", "id": "2281029", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281029"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "details": ["Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "A flaw was found in OpenSSL. Applications that use the EVP_PKEY_param_check() or EVP_PKEY_public_check() function to check a DSA public key or DSA parameters may experience long delays when checking excessively long DSA keys or parameters.\u00a0 In applications that allow untrusted sources to provide the key or parameters that are checked, an attacker may be able to cause a denial of service. These functions are not called by OpenSSL on untrusted DSA keys. The applications that directly call these functions are the ones that may be vulnerable to this issue."], "name": "CVE-2024-4603", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/fluentd-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp-backend-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ovmf", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "compat-openssl10", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mingw-openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "compat-openssl11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "shim-unsigned-aarch64", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat JBoss Web Server 5"}], "public_date": "2024-05-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-4603\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-4603\nhttps://www.openssl.org/news/secadv/20240516.txt"], "statement": "Only OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "threat_severity": "Low", "upstream_fix": "OpenSSL 3.0.14, OpenSSL 3.1.6, OpenSSL 3.2.2, OpenSSL 3.3.1"}