exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 24 of 24 RSS Feed

CVE-2023-3446

Status Candidate

Overview

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Related Files

Ubuntu Security Notice USN-7018-1
Posted Sep 18, 2024
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 7018-1 - Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites from OpenSSL. Paul Kehrer discovered that OpenSSL incorrectly handled certain input lengths in EVP functions. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.

tags | advisory, remote, denial of service
systems | linux, ubuntu
advisories | CVE-2020-1968, CVE-2021-23840, CVE-2022-1292, CVE-2022-2068, CVE-2023-3446, CVE-2024-0727
SHA-256 | 587acc1f444243f9ef3c25e4d1de8aecbfcae8208b00502e26bf42e93ab7624c
Ubuntu Security Notice USN-6994-1
Posted Sep 10, 2024
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6994-1 - It was discovered that Netty did not properly sanitize its input parameters. A remote attacker could possibly use this issue to cause a crash. It was discovered that Netty incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause Netty to consume resources, leading to a denial of service.

tags | advisory, remote, denial of service
systems | linux, ubuntu
advisories | CVE-2023-34462, CVE-2023-44487
SHA-256 | 151f4791ce1bf18350da328db884812f982e73c362b6de11f386b30f3d2006ef
Ubuntu Security Notice USN-6709-1
Posted Mar 22, 2024
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6709-1 - It was discovered that checking excessively long DH keys or parameters may be very slow. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. After the fix for CVE-2023-3446 Bernd Edlinger discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.

tags | advisory, remote, denial of service
systems | linux, ubuntu
advisories | CVE-2023-3446, CVE-2023-3817, CVE-2023-5678, CVE-2024-0727
SHA-256 | a3c85443f6ce0636dc4acc75b294ee38bc75374485acad341a73a787d547a0cb
Red Hat Security Advisory 2024-0888-03
Posted Feb 20, 2024
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2024-0888-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.

tags | advisory
systems | linux, redhat
advisories | CVE-2023-3446
SHA-256 | 2caf5966bd70f2ed6f8c6c31a70942293c3b0c858d8049a4eea7b0a0e6470c95
Red Hat Security Advisory 2024-0208-03
Posted Jan 12, 2024
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2024-0208-03 - An update for openssl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

tags | advisory
systems | linux, redhat
advisories | CVE-2023-3446
SHA-256 | e2683b7e7c1eaa4b94be8055f2acd55b322b5b3279616fd95b5e10c29c82304c
Red Hat Security Advisory 2024-0154-03
Posted Jan 11, 2024
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2024-0154-03 - An update for openssl is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

tags | advisory
systems | linux, redhat
advisories | CVE-2023-3446
SHA-256 | a2ff91af53be88263e3b464863f1bf0c4a0ac27b80070788392aeb8944a288e8
Red Hat Security Advisory 2023-7877-03
Posted Dec 20, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-7877-03 - An update for openssl is now available for Red Hat Enterprise Linux 8.

tags | advisory
systems | linux, redhat
advisories | CVE-2023-3446
SHA-256 | 79766b90d0f80e7196504f3ddf5e7b091dcb56864a6c0e4babe5c713cefd9c29
Debian Security Advisory 5558-1
Posted Nov 20, 2023
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5558-1 - Two security vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework.

tags | advisory, java, vulnerability
systems | linux, debian
advisories | CVE-2023-34462, CVE-2023-44487
SHA-256 | 23d44cf0ae6f714d7e561de1cde1502c1854f5a0c48f997685f74b83329351c0
Ubuntu Security Notice USN-6435-2
Posted Oct 26, 2023
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6435-2 - USN-6435-1 fixed vulnerabilities in OpenSSL. This update provides the corresponding updates for Ubuntu 20.04 LTS. It was discovered that OpenSSL incorrectly handled excessively large Diffie-Hellman parameters. An attacker could possibly use this issue to cause a denial of service.

tags | advisory, denial of service, vulnerability
systems | linux, ubuntu
advisories | CVE-2023-3446, CVE-2023-3817
SHA-256 | 59d340970afcd638ff53547b215993cbec3a2b96fa9685449422e51dfd241ffb
Red Hat Security Advisory 2023-5946-01
Posted Oct 20, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5946-01 - Red Hat AMQ Broker 7.11.3 is now available from the Red Hat Customer Portal. Issues addressed include denial of service and open redirection vulnerabilities.

tags | advisory, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2023-34462
SHA-256 | 3e5253e2561ca56e9e736fd6943b53ad9c218451550faad77b16088aa895d299
Ubuntu Security Notice USN-6435-1
Posted Oct 19, 2023
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6435-1 - It was discovered that OpenSSL incorrectly handled excessively large Diffie-Hellman parameters. An attacker could possibly use this issue to cause a denial of service. Bernd Edlinger discovered that OpenSSL incorrectly handled excessively large Diffie-Hellman parameters. An attacker could possibly use this issue to cause a denial of service.

tags | advisory, denial of service
systems | linux, ubuntu
advisories | CVE-2023-3446, CVE-2023-3817
SHA-256 | e4c02d0cf75df128a82009e6b74401d4b3f8c229dcc5899f73bc5f7c3bd1e952
Red Hat Security Advisory 2023-5486-01
Posted Oct 6, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5486-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

tags | advisory, java, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2022-25883, CVE-2023-26136, CVE-2023-26464, CVE-2023-3171, CVE-2023-33201, CVE-2023-34462, CVE-2023-4061
SHA-256 | c41eab1bdefe1734d05ef822e1f40834bb472bd705276a997550cad139f17438
Red Hat Security Advisory 2023-5485-01
Posted Oct 6, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5485-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

tags | advisory, java, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2022-25883, CVE-2023-26136, CVE-2023-26464, CVE-2023-3171, CVE-2023-33201, CVE-2023-34462, CVE-2023-4061
SHA-256 | 05ddf4b2fcec8ec1b289ddd64f5600527dbce6e10cb58168da66cd587b6e820c
Red Hat Security Advisory 2023-5488-01
Posted Oct 6, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5488-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

tags | advisory, java, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2022-25883, CVE-2023-26136, CVE-2023-26464, CVE-2023-3171, CVE-2023-33201, CVE-2023-34462, CVE-2023-4061
SHA-256 | fc29eee544ffd7736060e3f645e7a77e9f8a4138074c2e3661979df5b62f2856
Red Hat Security Advisory 2023-5484-01
Posted Oct 6, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5484-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

tags | advisory, java, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2022-25883, CVE-2023-26136, CVE-2023-26464, CVE-2023-3171, CVE-2023-33201, CVE-2023-34462, CVE-2023-4061
SHA-256 | 8212b9ff95cfb410ac120e8a1a11a37d532f8e090a9b888d64019acf467a6114
Red Hat Security Advisory 2023-5441-01
Posted Oct 5, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5441-01 - Red Hat Integration Camel for Spring Boot 4.0.0 is now available. Issues addressed include an XML injection vulnerability.

tags | advisory
systems | linux, redhat
advisories | CVE-2022-44729, CVE-2022-44730, CVE-2022-46751, CVE-2023-26048, CVE-2023-26049, CVE-2023-33008, CVE-2023-34462, CVE-2023-40167
SHA-256 | 4985987bfaf6fd9ed60f606650443e1312bbb66be0bb205dc8e01101a680964b
Red Hat Security Advisory 2023-5396-01
Posted Sep 28, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5396-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service
systems | linux, redhat
advisories | CVE-2022-45047, CVE-2023-34462, CVE-2023-35116, CVE-2023-35887, CVE-2023-3628, CVE-2023-3629, CVE-2023-5236
SHA-256 | 5388c15c1be8ba9a9c861d5cffb8e69e29258e619854a33049b6445639365da7
Red Hat Security Advisory 2023-5165-01
Posted Sep 15, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5165-01 - Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Issues addressed include code execution, denial of service, deserialization, and integer overflow vulnerabilities.

tags | advisory, denial of service, overflow, vulnerability, code execution
systems | linux, redhat
advisories | CVE-2021-37136, CVE-2021-37137, CVE-2022-1471, CVE-2022-24823, CVE-2022-36944, CVE-2023-0482, CVE-2023-26048, CVE-2023-26049, CVE-2023-2976, CVE-2023-33201, CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-34462
SHA-256 | c7bacd29d694aaaaf457349ec19016b4d130ffc214bfce870fe209e62bdbdd3c
Apache NiFi H2 Connection String Remote Code Execution
Posted Aug 30, 2023
Authored by h00die, Matei Mal Badanoiu | Site metasploit.com

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells (5-7). Successfully tested against Apache nifi 1.17.0 through 1.21.0.

tags | exploit, shell, code execution
advisories | CVE-2023-34468
SHA-256 | 0160a2622a4649020abd8fb0d476ca59d2c4968c668499c8167e44d6c9276020
OpenSSL Toolkit 3.1.2
Posted Aug 1, 2023
Site openssl.org

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.1.x series is the current major version of OpenSSL.

Changes: Fixed excessive time spent checking DH q parameter value. Fixed DH_check() excessive time with over sized modulus. No longer ignoring empty associated data entries with AES-SIV. A change has been made to the enable-fips option.
tags | encryption, protocol
systems | unix
advisories | CVE-2023-2975, CVE-2023-3446, CVE-2023-3817
SHA-256 | a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539
OpenSSL Toolkit 3.0.10
Posted Aug 1, 2023
Site openssl.org

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.x series is the current major version of OpenSSL.

Changes: Fixed excessive time spent checking DH q parameter value. Fixed DH_check() excessive time with over sized modulus. No longer ignoring empty associated data entries with AES-SIV.
tags | tool, encryption, protocol
systems | unix
advisories | CVE-2023-2975, CVE-2023-3446, CVE-2023-3817
SHA-256 | 1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323
OpenSSL Toolkit 1.1.1v
Posted Aug 1, 2023
Site openssl.org

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

Changes: Fixed excessive time spent checking DH q parameter value. Fixed DH_check() excessive time with over sized modulus.
tags | tool, encryption, protocol
systems | unix
advisories | CVE-2023-3446, CVE-2023-3817
SHA-256 | d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0
OpenSSL Security Advisory 20230731
Posted Jul 31, 2023
Site openssl.org

OpenSSL Security Advisory 20230731 - Checking excessively long DH keys or parameters may be very slow.

tags | advisory
advisories | CVE-2023-3446, CVE-2023-3817
SHA-256 | b497bf3e1c45020f0f227205c740557918c2fef680976bc3d389ede0493cb6b1
OpenSSL Security Advisory 20230719
Posted Jul 19, 2023
Site openssl.org

OpenSSL Security Advisory 20230719 - Checking excessively long DH keys or parameters may be very slow.

tags | advisory
advisories | CVE-2023-3446
SHA-256 | 317d782978ef6b0abc3f22eb5afa9d3557d2e60a10438b7019257e55a88ad3b0
Page 1 of 1
Back1Next

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close