CVE-2024-4603

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0 and 3.1 FIPS providers

Description The issue is related to the functions EVP PKEY param check() and EVP PKEY public check() in the OpenSSL library, which can lead to a Denial of Service (DoS) attack when checking excessively long DSA keys or parameters. These functions perform various checks on DSA parameters, and some computations can take a long time if the modulus (p parameter) is too large. An application that calls these functions and supplies a key or parameters obtained from an untrusted source could be vulnerable to a DoS attack. The OpenSSL SSL/TLS implementation is not affected by this issue.

Recommendations For OpenSSL versions 3.0 and 3.1 FIPS providers, consider disabling the EVP PKEY param check() and EVP PKEY public check() functions until a patch is available. Restrict access to the pkey and pkeyparam command line applications when using the -check option to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.