CVE-2023-6237

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0 through 3.1

Description The issue is related to the function EVP PKEY public check() in the OpenSSL library, which can lead to a Denial of Service (DoS) attack when checking excessively long invalid RSA public keys. This can cause long delays in applications that use this function to check RSA public keys obtained from untrusted sources. The EVP PKEY public check() function is called from the OpenSSL pkey command line application, making it vulnerable when used with the '-pubin' and '-check' options on untrusted data. The OpenSSL SSL/TLS implementation is not affected by this issue.

Recommendations For OpenSSL versions 3.0 through 3.1, consider disabling the EVP PKEY public check() function until a patch is available to prevent potential Denial of Service attacks. Restrict access to the OpenSSL pkey command line application when used with the '-pubin' and '-check' options on untrusted data to minimize the risk of exploitation. Avoid using the EVP PKEY public check() function on untrusted RSA public keys until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.