CVE-2023-3817: 
OpenSSL vulnerability analysis and mitigation

CVE-2023-3817 is a low severity vulnerability discovered in OpenSSL affecting versions 3.1, 3.0, 1.1.1, and 1.0.2. The vulnerability was reported on July 20, 2023, and publicly disclosed on July 31, 2023. It affects applications that use the functions DHcheck(), DHcheckex(), or EVPPKEYparamcheck() to check DH keys or parameters, potentially causing long delays when processing untrusted input (OpenSSL Advisory).

The vulnerability stems from the DH_check() function's handling of DH parameters. After fixing CVE-2023-3446, it was discovered that a large q parameter value could trigger overly long computations during parameter checks. The issue occurs because a correct q value, if present, cannot be larger than the modulus p parameter. The vulnerability has a CVSS v3.1 base score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition. Applications that call DHcheck() and supply a key or parameters obtained from an untrusted source are vulnerable to DoS attacks. The vulnerability also affects other OpenSSL functions that call DHcheck(), including DHcheckex() and EVPPKEYparam_check(). The OpenSSL dhparam and pkeyparam command line applications using the '-check' option are also vulnerable (OpenSSL Advisory).

Due to the low severity of the issue, OpenSSL did not issue immediate new releases. However, fixes were made available in the OpenSSL git repository through commits 6a1eb62c2 (for 3.1), 9002fd073 (for 3.0), and 91ddeba0f (for 1.1.1). For version 1.0.2, the fix is available to premium support customers in commit 869ad69a. The fix was developed by Tomas Mraz and will be included in future OpenSSL releases (OpenSSL Advisory).