ALAS2023-2024-520 --- opensslID: oval:org.secpod.oval:def:19500605 | Date: (C)2024-02-29 (M)2024-06-10 |
Class: PATCH | Family: unix |
A flaw was found in OpenSSL. When the EVP_PKEY_public_check function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attackThe package openssl098e is provided purely for binary compatibility with older Amazon Linux versions. It does not receive security updates
Platform: |
Amazon Linux 2023 |