NVD - CVE-2023-3446 (original) (raw)

CVE-2023-3446 Detail

Description

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST CVSS score

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST CVSS score

NIST: NVD

Base Score: 5.3 MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

ADP: CISA-ADP

Base Score: 5.3 MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
http://www.openwall.com/lists/oss-security/2023/07/19/4 CVE
http://www.openwall.com/lists/oss-security/2023/07/19/5 CVE
http://www.openwall.com/lists/oss-security/2023/07/19/6 CVE
http://www.openwall.com/lists/oss-security/2023/07/31/1 CVE
http://www.openwall.com/lists/oss-security/2024/05/16/1 CVE
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb CVE, OpenSSL Software Foundation Mailing List Patch Vendor Advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528 CVE, OpenSSL Software Foundation Mailing List Patch Vendor Advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c CVE, OpenSSL Software Foundation Broken Link Vendor Advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23 CVE, OpenSSL Software Foundation Mailing List Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html CVE
https://security.gentoo.org/glsa/202402-08 CVE
https://security.netapp.com/advisory/ntap-20230803-0011/ CVE
https://www.openssl.org/news/secadv/20230719.txt CVE, OpenSSL Software Foundation Vendor Advisory

Weakness Enumeration

CWE-ID CWE Name Source
CWE-1333 Inefficient Regular Expression Complexity cwe source acceptance level NIST
CWE-606 Unchecked Input for Loop Condition OpenSSL Software Foundation

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

15 change records found show changes

CVE Modified by CISA-ADP 6/17/2026 2:14:05 AM

Action Type Old Value New Value
Added SSVC {"timestamp":"2025-04-23T13:26:22.087194Z","id":"CVE-2023-3446","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

CVE Modified by OpenSSL Software Foundation 6/17/2026 2:14:05 AM

Action Type Old Value New Value
Added Affected [{"vendor":"OpenSSL","product":"OpenSSL","defaultStatus":"unaffected","versions":[{"version":"3.1.0","lessThan":"3.1.2","versionType":"semver","status":"affected"},{"version":"3.0.0","lessThan":"3.0.10","versionType":"semver","status":"affected"},{"version":"1.1.1","lessThan":"1.1.1v","versionType":"custom","status":"affected"},{"version":"1.0.2","lessThan":"1.0.2zi","versionType":"custom","status":"affected"}]}]

CVE Modified by CISA-ADP 4/23/2025 1:16:36 PM

Action Type Old Value New Value
Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE Modified by CVE 11/21/2024 3:17:17 AM

Action Type Old Value New Value
Added Reference http://www.openwall.com/lists/oss-security/2023/07/19/4
Added Reference http://www.openwall.com/lists/oss-security/2023/07/19/5
Added Reference http://www.openwall.com/lists/oss-security/2023/07/19/6
Added Reference http://www.openwall.com/lists/oss-security/2023/07/31/1
Added Reference http://www.openwall.com/lists/oss-security/2024/05/16/1
Added Reference https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb
Added Reference https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528
Added Reference https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c
Added Reference https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23
Added Reference https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html
Added Reference https://security.gentoo.org/glsa/202402-08
Added Reference https://security.netapp.com/advisory/ntap-20230803-0011/
Added Reference https://www.openssl.org/news/secadv/20230719.txt

CVE Modified by OpenSSL Software Foundation 10/14/2024 11:15:11 AM

Action Type Old Value New Value
Added CWE OpenSSL Software Foundation CWE-606
Removed Reference OpenSSL Software Foundation http://www.openwall.com/lists/oss-security/2023/07/19/4
Removed Reference OpenSSL Software Foundation http://www.openwall.com/lists/oss-security/2023/07/19/5
Removed Reference OpenSSL Software Foundation http://www.openwall.com/lists/oss-security/2023/07/19/6
Removed Reference OpenSSL Software Foundation http://www.openwall.com/lists/oss-security/2023/07/31/1
Removed Reference OpenSSL Software Foundation http://www.openwall.com/lists/oss-security/2024/05/16/1
Removed Reference OpenSSL Software Foundation https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html
Removed Reference OpenSSL Software Foundation https://security.gentoo.org/glsa/202402-08
Removed Reference OpenSSL Software Foundation https://security.netapp.com/advisory/ntap-20230803-0011/

CVE Modified by OpenSSL Software Foundation 6/10/2024 1:16:12 PM

Action Type Old Value New Value
Added Reference OpenSSL Software Foundation http://www.openwall.com/lists/oss-security/2024/05/16/1 [No types assigned]

CVE Modified by OpenSSL Software Foundation 5/14/2024 9:32:29 AM

Action Type Old Value New Value

CVE Modified by OpenSSL Software Foundation 2/04/2024 4:15:09 AM

Action Type Old Value New Value
Added Reference OpenSSL Software Foundation https://security.gentoo.org/glsa/202402-08 [No types assigned]

Modified Analysis by NIST 10/03/2023 11:48:00 AM

Action Type Old Value New Value
Changed CPE Configuration OR *cpe:2.3:a:openssl:openssl:1.0.2:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.0.0:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.1.0:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.1.1:-:*:*:*:*:*:* OR *cpe:2.3:a:openssl:openssl:1.0.2:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.0.0:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.1.0:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.1.1:-:*:*:*:*:*:*
Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/31/1 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/31/1 Mailing List, Third Party Advisory
Changed Reference Type https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb Mailing List, Patch https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb Mailing List, Patch, Vendor Advisory
Changed Reference Type https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528 Mailing List, Patch https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528 Mailing List, Patch, Vendor Advisory
Changed Reference Type https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c Broken Link https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c Broken Link, Vendor Advisory
Changed Reference Type https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23 Mailing List, Patch https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23 Mailing List, Patch, Vendor Advisory
Changed Reference Type https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html No Types Assigned https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html Mailing List, Third Party Advisory
Changed Reference Type https://security.netapp.com/advisory/ntap-20230803-0011/ No Types Assigned https://security.netapp.com/advisory/ntap-20230803-0011/ Third Party Advisory

CVE Modified by OpenSSL Software Foundation 8/16/2023 4:15:41 AM

Action Type Old Value New Value
Added Reference https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html [No Types Assigned]

CVE Modified by OpenSSL Software Foundation 8/03/2023 11:15:30 AM

Action Type Old Value New Value
Added Reference https://security.netapp.com/advisory/ntap-20230803-0011/ [No Types Assigned]

CVE Modified by OpenSSL Software Foundation 7/31/2023 2:15:10 PM

Action Type Old Value New Value
Added Reference http://www.openwall.com/lists/oss-security/2023/07/31/1 [No Types Assigned]

Initial Analysis by NIST 7/28/2023 3:02:27 PM

Action Type Old Value New Value
Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Added CWE NIST CWE-1333
Added CPE Configuration OR *cpe:2.3:a:openssl:openssl:1.0.2:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.0.0:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.1.0:-:*:*:*:*:*:* *cpe:2.3:a:openssl:openssl:3.1.1:-:*:*:*:*:*:*
Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/19/4 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/19/4 Mailing List, Third Party Advisory
Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/19/5 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/19/5 Mailing List, Third Party Advisory
Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/19/6 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/19/6 Mailing List, Third Party Advisory
Changed Reference Type https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb No Types Assigned https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb Mailing List, Patch
Changed Reference Type https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528 No Types Assigned https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528 Mailing List, Patch
Changed Reference Type https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c No Types Assigned https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c Broken Link
Changed Reference Type https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23 No Types Assigned https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23 Mailing List, Patch
Changed Reference Type https://www.openssl.org/news/secadv/20230719.txt No Types Assigned https://www.openssl.org/news/secadv/20230719.txt Vendor Advisory

CVE Modified by OpenSSL Software Foundation 7/19/2023 2:15:11 PM

Action Type Old Value New Value
Added Reference http://www.openwall.com/lists/oss-security/2023/07/19/6 [No Types Assigned]

CVE Modified by OpenSSL Software Foundation 7/19/2023 11:15:11 AM

Action Type Old Value New Value
Added Reference http://www.openwall.com/lists/oss-security/2023/07/19/4 [No Types Assigned]
Added Reference http://www.openwall.com/lists/oss-security/2023/07/19/5 [No Types Assigned]

Quick Info

CVE Dictionary Entry:
CVE-2023-3446
NVD Published Date:
07/19/2023
NVD Last Modified:
06/17/2026
Source:
OpenSSL Software Foundation