{"id":"AZL-78561","summary":"CVE-2023-6237 affecting package openssl-fips-provider 3.1.2-1","details":"Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","modified":"2026-04-01T05:23:16.438641Z","published":"2024-04-25T07:15:45Z","upstream":["CVE-2023-6237"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6237"}],"affected":[{"package":{"name":"openssl-fips-provider","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/openssl-fips-provider"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"3.1.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-78561.json"}}],"schema_version":"1.7.5"}