CVE-2024-4603: 
Node.js vulnerability analysis and mitigation

CVE-2024-4603 is a vulnerability in OpenSSL versions 3.3, 3.2, 3.1, and 3.0, discovered on February 13th, 2024, by OSSfuzz and disclosed on May 16th, 2024. The vulnerability affects applications that use the functions EVPPKEYparamcheck() or EVPPKEYpubliccheck() to check DSA public keys or parameters. OpenSSL has classified this as a low-severity vulnerability (OpenSSL Advisory).

The vulnerability occurs when checking DSA parameters where the modulus ('p' parameter) is too large. While OpenSSL normally prevents using public keys with modulus larger than 10,000 bits for signature verification, the key and parameter check functions did not implement this size limitation. This oversight can lead to excessive computation time during validation checks (OpenSSL Advisory).

When exploited, this vulnerability can cause significant delays in applications that perform DSA key or parameter validation, potentially leading to a Denial of Service (DoS) condition. The impact is particularly relevant when the key or parameters being checked are obtained from untrusted sources. The OpenSSL SSL/TLS implementation itself is not affected, though the OpenSSL 3.0 and 3.1 FIPS providers are impacted (OpenSSL Advisory).

To resolve this issue, OpenSSL implemented a fix that causes DSA keys larger than OPENSSLDSAMAXMODULUSBITS to fail the check immediately with a DSARMODULUSTOOLARGE error. The fix is available in commits 53ea0648 (for 3.3), da343d06 (for 3.2), 9c39b385 (for 3.1), and 3559e868 (for 3.0) in the OpenSSL git repository. Due to the low severity, no immediate new releases were issued, with the fix scheduled for inclusion in future releases (OpenSSL Advisory).

Various organizations have responded to this vulnerability. Microsoft acknowledged the issue affecting several applications including OneDrive, and announced that OneDrive Sync App 25.004.0109.0002 would include OpenSSL 3.4.0.0 to address the vulnerability (Microsoft Q&A).