NVD - CVE-2024-4603 (original) (raw)
CVE-2024-4603 Detail
Description
Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
N/A
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
ADP: CISA-ADP
Base Score: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
| URL | Source(s) | Tag(s) |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/05/16/2 | CVE | |
| https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397 | CVE, OpenSSL Software Foundation | |
| https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e | CVE, OpenSSL Software Foundation | |
| https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d | CVE, OpenSSL Software Foundation | |
| https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740 | CVE, OpenSSL Software Foundation | |
| https://security.netapp.com/advisory/ntap-20240621-0001/ | CVE | |
| https://www.openssl.org/news/secadv/20240516.txt | CVE, OpenSSL Software Foundation |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-606 | Unchecked Input for Loop Condition | OpenSSL Software Foundation |
| CWE-834 | Excessive Iteration | CISA-ADP |
Change History
8 change records found show changes
CVE Modified by CISA-ADP 6/17/2026 4:02:14 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Affected | [{"vendor":"openssl","product":"openssl","defaultStatus":"unaffected","cpes":["cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*"],"versions":[{"version":"3.0.0","lessThan":"3.0.14","versionType":"semver","status":"affected"},{"version":"3.1.0","lessThan":"3.1.6","versionType":"semver","status":"affected"},{"version":"3.2.0","lessThan":"3.2.2","versionType":"semver","status":"affected"},{"version":"3.3.0","lessThan":"3.3.1","versionType":"semver","status":"affected"}]}] | |
| Added | SSVC | {"timestamp":"2024-05-16T18:27:25.638098Z","id":"CVE-2024-4603","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"} |
CVE Modified by OpenSSL Software Foundation 6/17/2026 4:02:14 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Affected | [{"vendor":"OpenSSL","product":"OpenSSL","defaultStatus":"unaffected","versions":[{"version":"3.0.0","lessThan":"3.0.14","versionType":"semver","status":"affected"},{"version":"3.1.0","lessThan":"3.1.6","versionType":"semver","status":"affected"},{"version":"3.2.0","lessThan":"3.2.2","versionType":"semver","status":"affected"},{"version":"3.3.0","lessThan":"3.3.1","versionType":"semver","status":"affected"}]}] |
CVE Modified by CVE 11/21/2024 4:43:11 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | http://www.openwall.com/lists/oss-security/2024/05/16/2 | |
| Added | Reference | https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397 | |
| Added | Reference | https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e | |
| Added | Reference | https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d | |
| Added | Reference | https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740 | |
| Added | Reference | https://security.netapp.com/advisory/ntap-20240621-0001/ | |
| Added | Reference | https://www.openssl.org/news/secadv/20240516.txt |
CVE Modified by OpenSSL Software Foundation 10/14/2024 11:15:14 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CWE | OpenSSL Software Foundation CWE-606 | |
| Removed | Reference | OpenSSL Software Foundation http://www.openwall.com/lists/oss-security/2024/05/16/2 | |
| Removed | Reference | OpenSSL Software Foundation https://security.netapp.com/advisory/ntap-20240621-0001/ |
CVE Modified by CISA-ADP 8/13/2024 12:35:05 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | |
| Added | CWE | CISA-ADP CWE-834 |
CVE Modified by OpenSSL Software Foundation 6/21/2024 3:15:30 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | OpenSSL Software Foundation https://security.netapp.com/advisory/ntap-20240621-0001/ [No types assigned] |
CVE Modified by OpenSSL Software Foundation 6/10/2024 1:16:33 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | OpenSSL Software Foundation http://www.openwall.com/lists/oss-security/2024/05/16/2 [No types assigned] |
New CVE Received from OpenSSL Software Foundation 5/16/2024 12:15:10 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. | |
| Added | Reference | OpenSSL Software Foundation https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397 [No types assigned] | |
| Added | Reference | OpenSSL Software Foundation https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e [No types assigned] | |
| Added | Reference | OpenSSL Software Foundation https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d [No types assigned] | |
| Added | Reference | OpenSSL Software Foundation https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740 [No types assigned] | |
| Added | Reference | OpenSSL Software Foundation https://www.openssl.org/news/secadv/20240516.txt [No types assigned] |
Quick Info
CVE Dictionary Entry:
CVE-2024-4603
NVD Published Date:
05/16/2024
NVD Last Modified:
06/17/2026
Source:
OpenSSL Software Foundation