{"id":"UBUNTU-CVE-2023-6237","details":"Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the '-pubin' and '-check' options on untrusted data. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","modified":"2026-04-22T17:28:31.026096Z","published":"2024-01-15T00:00:00Z","related":["USN-6622-1","USN-7894-1"],"upstream":["CVE-2023-6237"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-6237"},{"type":"REPORT","url":"https://www.openssl.org/news/secadv/20240115.txt"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6622-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-6237"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7894-1"}],"affected":[{"package":{"name":"openssl","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.14?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.2-0ubuntu1.14"}]}],"versions":["1.1.1l-1ubuntu1","3.0.0-1ubuntu1","3.0.1-0ubuntu1","3.0.2-0ubuntu1","3.0.2-0ubuntu1.1","3.0.2-0ubuntu1.2","3.0.2-0ubuntu1.4","3.0.2-0ubuntu1.5","3.0.2-0ubuntu1.6","3.0.2-0ubuntu1.7","3.0.2-0ubuntu1.8","3.0.2-0ubuntu1.9","3.0.2-0ubuntu1.10","3.0.2-0ubuntu1.12","3.0.2-0ubuntu1.13"],"ecosystem_specific":{"availability":"No subscription required","priority_reason":"Upstream OpenSSL project has rated this as low severity","binaries":[{"binary_name":"libssl3","binary_version":"3.0.2-0ubuntu1.14"},{"binary_name":"openssl","binary_version":"3.0.2-0ubuntu1.14"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-6237.json"}},{"package":{"name":"nodejs","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/nodejs@12.22.9~dfsg-1ubuntu3.6+esm2?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["12.22.5~dfsg-5ubuntu1","12.22.7~dfsg-2ubuntu1","12.22.7~dfsg-2ubuntu3","12.22.9~dfsg-1ubuntu2","12.22.9~dfsg-1ubuntu3","12.22.9~dfsg-1ubuntu3.1","12.22.9~dfsg-1ubuntu3.2","12.22.9~dfsg-1ubuntu3.3","12.22.9~dfsg-1ubuntu3.4","12.22.9~dfsg-1ubuntu3.5","12.22.9~dfsg-1ubuntu3.6","12.22.9~dfsg-1ubuntu3.6+esm2"],"ecosystem_specific":{"priority_reason":"Upstream OpenSSL project has rated this as low severity","binaries":[{"binary_name":"libnode72","binary_version":"12.22.9~dfsg-1ubuntu3.6+esm2"},{"binary_name":"nodejs","binary_version":"12.22.9~dfsg-1ubuntu3.6+esm2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-6237.json"}},{"package":{"name":"openssl","ecosystem":"Ubuntu:Pro:FIPS-preview:22.04:LTS","purl":"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.12+Fips1?arch=source&distro=fips-preview/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.0.2-0ubuntu1.10+Fips1","3.0.2-0ubuntu1.12+Fips1"],"ecosystem_specific":{"priority_reason":"Upstream OpenSSL project has rated this as low severity","binaries":[{"binary_name":"libssl3","binary_version":"3.0.2-0ubuntu1.12+Fips1"},{"binary_name":"openssl","binary_version":"3.0.2-0ubuntu1.12+Fips1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-6237.json"}},{"package":{"name":"openssl","ecosystem":"Ubuntu:Pro:FIPS-updates:22.04:LTS","purl":"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.14+Fips1?arch=source&distro=fips-updates/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.2-0ubuntu1.14+Fips1"}]}],"versions":["3.0.2-0ubuntu1.10+Fips1","3.0.2-0ubuntu1.12+Fips1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","priority_reason":"Upstream OpenSSL project has rated this as low severity","binaries":[{"binary_name":"libssl3","binary_version":"3.0.2-0ubuntu1.14+Fips1"},{"binary_name":"openssl","binary_version":"3.0.2-0ubuntu1.14+Fips1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-6237.json"}},{"package":{"name":"edk2","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/edk2@2024.02-2ubuntu0.6?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2024.02-2ubuntu0.6"}]}],"versions":["2023.05-2","2023.11-2","2023.11-3","2023.11-4","2023.11-5","2023.11-6","2023.11-8","2024.02-1","2024.02-2","2024.02-2ubuntu0.1","2024.02-2ubuntu0.3","2024.02-2ubuntu0.4","2024.02-2ubuntu0.5"],"ecosystem_specific":{"availability":"No subscription required","priority_reason":"Upstream OpenSSL project has rated this as low severity","binaries":[{"binary_name":"efi-shell-aa64","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"efi-shell-arm","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"efi-shell-ia32","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"efi-shell-riscv64","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"efi-shell-x64","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"ovmf","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"ovmf-ia32","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"qemu-efi-aarch64","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"qemu-efi-arm","binary_version":"2024.02-2ubuntu0.6"},{"binary_name":"qemu-efi-riscv64","binary_version":"2024.02-2ubuntu0.6"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-6237.json"}},{"package":{"name":"openssl","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/openssl@3.0.10-1ubuntu4?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.10-1ubuntu4"}]}],"versions":["3.0.10-1ubuntu2","3.0.10-1ubuntu2.1","3.0.10-1ubuntu3"],"ecosystem_specific":{"availability":"No subscription required","priority_reason":"Upstream OpenSSL project has rated this as low severity","binaries":[{"binary_name":"libssl3","binary_version":"3.0.10-1ubuntu4"},{"binary_name":"openssl","binary_version":"3.0.10-1ubuntu4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-6237.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]}