CVE-2023-3446: Excessive time spent checking DH keys and parameters

Published Jul 19, 2023
·
Updated

Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. http://www.openwall.com/lists/oss-security/2023/07/19/4 http://www.openwall.com/lists/oss-security/2023/07/19/5 http://www.openwall.com/lists/oss-security/2023/07/19/6 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23 https://www.openssl.org/news/secadv/20230719.txt

Affected Software

11 affected componentsFixes available
OpenSSL OpenSSL=1.0.2
OpenSSL OpenSSL=1.1.1
OpenSSL OpenSSL=3.0.0
OpenSSL OpenSSL=3.1.0
OpenSSL OpenSSL=3.1.1
debian/openssl
1.1.1w-0+deb11u11.1.1w-0+deb11u23.0.15-1~deb12u13.0.14-1~deb12u23.5.0-1
IBM QRadar Network Packet Capture<=7.5.0 - 7.5.0 Update Package 7
Microsoft cbl2 hvloader 1.0.1-5
Patch available
Microsoft cbl2 openssl 1.1.1k-28
Patch available
Microsoft cbl2 hvloader 1.0.1-6
Patch available
Microsoft cbl2 hvloader 1.0.1-5
Patch available

Remediation

Patch Available

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb

Patch Available

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528

Patch Available

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23

Event History

Jul 19, 2023
CVE Published
via MITRE·11:31 AM
Data Sourced
via MITRE·11:31 AM
DescriptionWeakness
Data Sourced
12:15 PM
Description
Jul 24, 2023
Data Sourced
via Red Hat·05:15 AM
DescriptionSeverityAffected Software
Jun 28, 2024
Data Sourced
via Launchpad·02:37 AM
Description
Jun 30, 2024
Data Sourced
via Microsoft·02:00 PM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·02:00 PM
Affected Software
Updated
via Microsoft·02:00 PM
Description
Updated
via Microsoft·02:00 PM
DescriptionSeverity
Jul 23, 2024
Data Sourced
via IBM·12:00 AM
DescriptionSeverityAffected Software
Sep 20, 2024
Data Sourced
via Ubuntu·04:15 AM
RemedyDescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2023-3446?

CVE-2023-3446 is a vulnerability that affects OpenSSL versions 1.0.2, 3.0.0, 3.1.0, and 3.1.1.

2

How does CVE-2023-3446 impact applications?

Applications that use certain functions in OpenSSL to check DH keys or parameters may experience long delays.

3

What is the severity of CVE-2023-3446?

CVE-2023-3446 has a severity rating of 5.3, which is considered medium.

4

How can I fix CVE-2023-3446?

To fix CVE-2023-3446, you should update OpenSSL to a patched version.

5

Where can I find more information about CVE-2023-3446?

You can find more information about CVE-2023-3446 in the references provided: [Reference 1](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23), [Reference 2](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528), [Reference 3](https://www.openssl.org/news/secadv/20230719.txt).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203