CVE-2023-5678

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 1.1.1w

Description The issue is related to the generation and checking of excessively long X9.42 DH keys or parameters, which may cause long delays in applications using the affected functions. This can lead to a Denial of Service attack if the key or parameters are obtained from an untrusted source. The DH generate key() and DH check pub key() functions are vulnerable to excessively large P and Q parameters. Other affected functions include DH check pub key ex(), EVP PKEY public check(), and EVP PKEY generate(). The OpenSSL pkey command line application and the OpenSSL genpkey command line application are also vulnerable when using the "-pubcheck" option.

Recommendations To resolve the issue, update OpenSSL to version 1.1.1w or later. As a temporary workaround, consider disabling the DH generate key() and DH check pub key() functions until a patch is available. Restrict access to the vulnerable DH check pub key ex(), EVP PKEY public check(), and EVP PKEY generate() functions to minimize the risk of exploitation. Avoid using the pkey command line application with the "-pubcheck" option and the genpkey command line application until the issue is resolved.