{
  "threat_severity" : "Low",
  "public_date" : "2023-10-24T00:00:00Z",
  "bugzilla" : {
    "description" : "openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow",
    "id" : "2248616",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2248616"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-325",
  "details" : [ "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays.  Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions.  An application calling any of those other\nfunctions may similarly be affected.  The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", "A flaw was found in OpenSSL, which caused the generation or checking of long X9.42 DH keys or parameters to be much slower than expected. This issue could lead to a denial of service." ],
  "statement" : "This vulnerability in OpenSSL is categorized as a low severity issue primarily because it requires specific conditions to exploit and doesn't directly result in a full Denial of Service (DoS). While the excessive time spent in DH key generation or verification could potentially cause delays, the impact is mitigated by the fact that it requires untrusted sources supplying large Q parameter values. Additionally, the OpenSSL SSL/TLS implementation remains unaffected, limiting the scope of potential attacks. Moreover, there are inherent limits on key length, which further restrict the potential for exploitation.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1316",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-openssl-1:1.1.1k-17.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1316",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-openssl-1:1.1.1k-17.el7jbcs"
  }, {
    "product_name" : "JWS 5.7.8",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1319",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7",
    "package" : "openssl"
  }, {
    "product_name" : "JWS 6.0.1",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1325",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.0",
    "package" : "openssl"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-12-19T00:00:00Z",
    "advisory" : "RHSA-2023:7877",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "openssl-1:1.1.1k-12.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-01-11T00:00:00Z",
    "advisory" : "RHSA-2024:0208",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.6",
    "package" : "openssl-1:1.1.1k-12.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-01-10T00:00:00Z",
    "advisory" : "RHSA-2024:0154",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "openssl-1:1.1.1k-12.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2447",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssl-1:3.0.7-27.el9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2447",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssl-1:3.0.7-27.el9"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 7",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1318",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7",
    "package" : "jws5-tomcat-native-0:1.2.31-17.redhat_17.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 8",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1318",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8",
    "package" : "jws5-tomcat-native-0:1.2.31-17.redhat_17.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 9",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1318",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9",
    "package" : "jws5-tomcat-native-0:1.2.31-17.redhat_17.el9jws"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1317",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-openssl"
  } ],
  "package_state" : [ {
    "product_name" : "Cryostat 2",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:cryostat:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "compat-openssl10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "compat-openssl11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5678\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5678\nhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055\nhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c\nhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017\nhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6\nhttps://www.openssl.org/news/secadv/20231106.txt" ],
  "name" : "CVE-2023-5678",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}