CVE-2023-3817

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 3.0 OpenSSL versions prior to 3.1

Description The issue is related to the functions DH check(), DH check ex(), and EVP PKEY param check() in the OpenSSL library. These functions can cause excessive delays when checking excessively long DH keys or parameters, potentially leading to a Denial of Service attack if the key or parameters are obtained from an untrusted source. The DH check() function performs various checks on DH parameters, and a large q parameter value can trigger an overly long computation during some of these checks. The OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Recommendations For OpenSSL versions prior to 3.0, update to version 3.0 or later to resolve the issue. For OpenSSL versions prior to 3.1, update to version 3.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the DH check(), DH check ex(), and EVP PKEY param check() functions to minimize the risk of exploitation. Avoid using the dhparam and pkeyparam command line applications with the "-check" option until the issue is resolved.