1213487 – (CVE-2023-3446) VUL-0: CVE-2023-3446: openssl-1_1,openssl1,openssl-3,openssl-1_0_0: Excessive time spent checking DH keys and parameters

Bug 1213487 (CVE-2023-3446) - VUL-0: CVE-2023-3446: openssl-1_1,openssl1,openssl-3,openssl-1_0_0: Excessive time spent checking DH keys and parameters

Summary: VUL-0: CVE-2023-3446: openssl-1_1,openssl1,openssl-3,openssl-1_0_0: Excessive...

Status:	RESOLVED FIXED

Alias:	CVE-2023-3446

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/372979/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-3446:5.3:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-19 14:01 UTC by Robert Frohl
Modified:	2024-05-22 11:06 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2023-07-19 14:01:41 UTC

CVE-2023-3446

Posted by Tomas Mraz on Jul 19OpenSSL Security Advisory [19th July 2023]
==========================================

Excessive time spent checking DH keys and parameters (CVE-2023-3446)
====================================================================

Severity: Low

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3446
https://seclists.org/oss-sec/2023/q3/44

Comment 3 Pedro Monreal Gonzalez 2023-07-20 07:06:06 UTC

OpenSSL 3.1.x branch:
  * Fixes: https://github.com/openssl/openssl/commit/fc9867c1
  * Tests: https://github.com/openssl/openssl/commit/4791e79b
  * Change: https://github.com/openssl/openssl/commit/047a4c5c

OpenSSL 3.0.x branch:
  * Fixes: https://github.com/openssl/openssl/commit/1fa20cf2
  * Tests: https://github.com/openssl/openssl/commit/8a62fd99
  * Change: https://github.com/openssl/openssl/commit/1ec281fc

OpenSSL 1.1.1x branch:
  * Fixes: https://github.com/openssl/openssl/commit/8780a896
  * Tests: https://github.com/openssl/openssl/commit/e9ddae17
  * Change: https://github.com/openssl/openssl/commit/97b4f2b5

Regarding the other versions, 1.0.2x, 1.0.1x and 0.9.8x, they are all affected and we could set the max limit for them too. I'll prepare submissions in a moment.

Comment 10 Pedro Monreal Gonzalez 2023-07-20 12:58:05 UTC

Summary of submissions:

> Codestream              Package         Request
> -----------------------------------------------------------------------------------
> SUSE:ALP:Source:Standard:1.0 openssl-3  https://build.suse.de/request/show/303410
> SUSE:SLE-15-SP5:Update  openssl-3       https://build.suse.de/request/show/303404
> SUSE:SLE-15-SP4:Update  openssl-3       https://build.suse.de/request/show/303405
> openSUSE:Factory        openssl-3       https://build.opensuse.org/request/show/1099669
> -----------------------------------------------------------------------------------
> SUSE:ALP:Source:Standard:1.0 openssl-1_1 https://build.suse.de/request/show/303411
> SUSE:SLE-15-SP5:Update openssl-1_1      https://build.suse.de/request/show/303420
> SUSE:SLE-15-SP4:Update openssl-1_1      https://build.suse.de/request/show/303421
> SUSE:SLE-15-SP2:Update openssl-1_1      https://build.suse.de/request/show/303422
> SUSE:SLE-15-SP1:Update openssl-1_1      https://build.suse.de/request/show/303423
> SUSE:SLE-12-SP4:Update openssl-1_1      https://build.suse.de/request/show/303424
> openSUSE:Factory       openssl-1_1      https://build.opensuse.org/request/show/1099670
> -----------------------------------------------------------------------------------
> SUSE:SLE-15:Update     openssl-1_0_0   https://build.suse.de/request/show/303431
> SUSE:SLE-12-SP4:Update openssl-1_0_0   https://build.suse.de/request/show/303430
> SUSE:SLE-12-SP2:Update openssl         https://build.suse.de/request/show/303432
> SUSE:SLE-11-SP3:Update openssl1        https://build.suse.de/request/show/303433
> openSUSE:Factory       openssl-1_0_0   https://build.opensuse.org/request/show/1099702
> -----------------------------------------------------------------------------------
> SUSE:SLE-12:Update     compat-openssl098 https://build.suse.de/request/show/303442
> SUSE:SLE-11-SP1:Update openssl           https://build.suse.de/request/show/303441

Comment 13 Maintenance Automation 2023-07-25 08:49:48 UTC

SUSE-SU-2023:2962-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.48.1
openSUSE Leap Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.48.1
openSUSE Leap Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.48.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-1_1-1.1.1l-150400.7.48.1
SUSE Linux Enterprise Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.48.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-1_1-1.1.1l-150400.7.48.1
SUSE Linux Enterprise Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.48.1
Basesystem Module 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Maintenance Automation 2023-07-25 08:49:51 UTC

SUSE-SU-2023:2961-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.59.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_1-1.1.0i-150100.14.59.1
SUSE CaaS Platform 4.0 (src): openssl-1_1-1.1.0i-150100.14.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Maintenance Automation 2023-07-25 13:25:50 UTC

SUSE-SU-2023:2965-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
openSUSE Leap 15.5 (src): openssl-1_1-1.1.1l-150500.17.9.1
Basesystem Module 15-SP5 (src): openssl-1_1-1.1.1l-150500.17.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2023-07-25 13:25:52 UTC

SUSE-SU-2023:2964-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_1-1.1.1d-2.92.1
SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_1-1.1.1d-2.92.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_1-1.1.1d-2.92.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_1-1.1.1d-2.92.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Maintenance Automation 2023-07-26 08:52:14 UTC

SUSE-SU-2023:2973-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl-0.9.8j-0.106.77.1
SUSE Linux Enterprise Server 11 SP4 (src): openssl-0.9.8j-0.106.77.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Maintenance Automation 2023-07-26 08:52:16 UTC

SUSE-SU-2023:2972-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl1-1.0.1g-0.58.73.1
SUSE Linux Enterprise Server 11 SP4 (src): openssl1-1.0.1g-0.58.73.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Maintenance Automation 2023-07-28 16:30:01 UTC

SUSE-SU-2023:3013-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1213383, 1213487
CVE References: CVE-2023-2975, CVE-2023-3446
Sources used:
openSUSE Leap 15.4 (src): openssl-3-3.0.8-150400.4.31.2
Basesystem Module 15-SP4 (src): openssl-3-3.0.8-150400.4.31.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Maintenance Automation 2023-07-28 16:30:04 UTC

SUSE-SU-2023:3012-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_0_0-1.0.2p-3.81.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_0_0-1.0.2p-3.81.1
SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_0_0-1.0.2p-3.81.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_0_0-1.0.2p-3.81.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Maintenance Automation 2023-07-28 16:30:05 UTC

SUSE-SU-2023:3011-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1213383, 1213487
CVE References: CVE-2023-2975, CVE-2023-3446
Sources used:
openSUSE Leap 15.5 (src): openssl-3-3.0.8-150500.5.8.1
Basesystem Module 15-SP5 (src): openssl-3-3.0.8-150500.5.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Maintenance Automation 2023-08-01 12:30:15 UTC

SUSE-SU-2023:3096-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (moderate)
Bug References: 1201627, 1207534, 1213487
CVE References: CVE-2022-4304, CVE-2023-3446
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): compat-openssl098-0.9.8j-106.58.1
Legacy Module 12 (src): compat-openssl098-0.9.8j-106.58.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): compat-openssl098-0.9.8j-106.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Maintenance Automation 2023-08-01 12:30:20 UTC

SUSE-SU-2023:3093-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
Legacy Module 15-SP4 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
Legacy Module 15-SP5 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Enterprise Storage 7.1 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE Enterprise Storage 7 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
SUSE CaaS Platform 4.0 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
openSUSE Leap 15.4 (src): openssl-1_0_0-1.0.2p-150000.3.82.1
openSUSE Leap 15.5 (src): openssl-1_0_0-1.0.2p-150000.3.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Maintenance Automation 2023-08-02 12:30:16 UTC

SUSE-SU-2023:3160-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213487
CVE References: CVE-2023-3446
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): openssl-1.0.2j-60.101.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Maintenance Automation 2023-08-03 16:30:02 UTC

SUSE-SU-2023:3179-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (moderate)
Bug References: 1201627, 1207534, 1213487
CVE References: CVE-2022-4304, CVE-2023-3446
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise Real Time 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Manager Proxy 4.2 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Manager Retail Branch Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Manager Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Enterprise Storage 7.1 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Enterprise Storage 7 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.72.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): openssl-1_1-1.1.1d-150200.11.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 37 Robert Frohl 2024-05-22 11:06:02 UTC

done, closing