{"id":"CVE-2023-3817","details":"Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.","modified":"2026-04-16T00:03:15.626652396Z","published":"2023-07-31T16:15:10.497Z","related":["ALSA-2023:7877","ALSA-2024:2447","CGA-hxqv-3m45-8f6g","SUSE-SU-2023:3239-1","SUSE-SU-2023:3242-1","SUSE-SU-2023:3243-1","SUSE-SU-2023:3244-1","SUSE-SU-2023:3244-2","SUSE-SU-2023:3291-1","SUSE-SU-2023:3291-2","SUSE-SU-2023:3308-1","SUSE-SU-2023:3338-1","SUSE-SU-2023:3339-1","SUSE-SU-2023:3397-1","SUSE-SU-2023:3958-1","SUSE-SU-2023:4189-1","SUSE-SU-2023:4190-1","openSUSE-SU-2024:13090-1","openSUSE-SU-2024:13097-1","openSUSE-SU-2024:13111-1"],"references":[{"type":"WEB","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2023/Jul/43"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/07/31/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/09/22/11"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/09/22/9"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/11/06/2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html"},{"type":"ADVISORY","url":"https://www.openssl.org/news/secadv/20230731.txt"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202402-08"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230818-0014/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20231027-0008/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240621-0006/"},{"type":"FIX","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5"},{"type":"FIX","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f"},{"type":"FIX","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5"},{"type":"ARTICLE","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5"},{"type":"ARTICLE","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f"},{"type":"ARTICLE","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"89cd17a031e022211684eb7eb41190cf1910f9fa"},{"fixed":"245cb0291e0db99d9ccf3692fa76f440b2b054c2"},{"introduced":"a92271e03a8d0dee507b6f1e7f49512568b2c7ad"},{"fixed":"17a2c5111864d8e016c5f2d29c40a3746b559e9d"}]}],"versions":["openssl-3.0.0","openssl-3.0.1","openssl-3.0.2","openssl-3.0.3","openssl-3.0.4","openssl-3.0.5","openssl-3.0.6","openssl-3.0.7","openssl-3.0.8","openssl-3.0.9","openssl-3.1.0","openssl-3.1.0-alpha1","openssl-3.1.0-beta1","openssl-3.1.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-3817.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}