{"id":"CVE-2024-4603","details":"Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.","modified":"2026-04-16T04:31:31.480633998Z","published":"2024-05-16T16:15:10.643Z","related":["ALSA-2024:9333","CGA-c79m-3cvx-p3fj","SUSE-SU-2024:1789-1","SUSE-SU-2024:1947-1","SUSE-SU-2024:2066-1","SUSE-SU-2025:20014-1","openSUSE-SU-2024:13992-1"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/05/16/2"},{"type":"WEB","url":"https://www.openssl.org/news/secadv/20240516.txt"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240621-0001/"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"3559e868e58005d15c6013a0c1fd832e51c73397"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"53ea06486d296b890d565fb971b2764fcd826e7e"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"9c39b3858091c152f52513c066ff2c5a47969f0d"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"da343d0605c826ef197aceedc67e8e04f065f740"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"3559e868e58005d15c6013a0c1fd832e51c73397"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"53ea06486d296b890d565fb971b2764fcd826e7e"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"9c39b3858091c152f52513c066ff2c5a47969f0d"}]},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"0"},{"fixed":"da343d0605c826ef197aceedc67e8e04f065f740"}]}],"versions":["BEFORE_engine","OpenSSL_0_9_1c","OpenSSL_0_9_2b","OpenSSL_0_9_3","OpenSSL_0_9_3a","OpenSSL_0_9_3beta2","OpenSSL_0_9_4","OpenSSL_0_9_5a","OpenSSL_0_9_5a-beta1","OpenSSL_0_9_5a-beta2","OpenSSL_0_9_5beta1","OpenSSL_0_9_5beta2","OpenSSL_0_9_6-beta3","OpenSSL_1_1_0-pre1","OpenSSL_1_1_0-pre2","OpenSSL_1_1_0-pre3","OpenSSL_1_1_0-pre4","OpenSSL_1_1_0-pre5","OpenSSL_1_1_0-pre6","OpenSSL_1_1_1","OpenSSL_1_1_1-pre1","OpenSSL_1_1_1-pre2","OpenSSL_1_1_1-pre3","OpenSSL_1_1_1-pre4","OpenSSL_1_1_1-pre5","OpenSSL_1_1_1-pre6","OpenSSL_1_1_1-pre7","OpenSSL_1_1_1-pre8","OpenSSL_1_1_1-pre9","master-post-auto-reformat","master-post-reformat","master-pre-auto-reformat","master-pre-reformat","openssl-3.0.0","openssl-3.0.0-alpha1","openssl-3.0.0-alpha10","openssl-3.0.0-alpha11","openssl-3.0.0-alpha12","openssl-3.0.0-alpha13","openssl-3.0.0-alpha14","openssl-3.0.0-alpha15","openssl-3.0.0-alpha16","openssl-3.0.0-alpha17","openssl-3.0.0-alpha2","openssl-3.0.0-alpha3","openssl-3.0.0-alpha4","openssl-3.0.0-alpha5","openssl-3.0.0-alpha6","openssl-3.0.0-alpha7","openssl-3.0.0-alpha8","openssl-3.0.0-alpha9","openssl-3.0.0-beta1","openssl-3.0.0-beta2","openssl-3.0.1","openssl-3.0.10","openssl-3.0.11","openssl-3.0.12","openssl-3.0.13","openssl-3.0.2","openssl-3.0.3","openssl-3.0.4","openssl-3.0.5","openssl-3.0.6","openssl-3.0.7","openssl-3.0.8","openssl-3.0.9","openssl-3.1.0","openssl-3.1.0-alpha1","openssl-3.1.0-beta1","openssl-3.1.1","openssl-3.1.2","openssl-3.1.3","openssl-3.1.4","openssl-3.1.5","openssl-3.2.0","openssl-3.2.0-alpha1","openssl-3.2.0-alpha2","openssl-3.2.0-beta1","openssl-3.2.1","openssl-3.3.0","openssl-3.3.0-alpha1","openssl-3.3.0-beta1"],"database_specific":{"vanir_signatures":[{"digest":{"function_hash":"219663322568032758739344610759529853203","length":152},"target":{"function":"ossl_dsa_check_pub_key","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d","id":"CVE-2024-4603-0f1dc7ae","signature_type":"Function","signature_version":"v1","deprecated":false},{"digest":{"function_hash":"307444583308020639014663628111494753137","length":301},"target":{"function":"ossl_dsa_check_params","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d","id":"CVE-2024-4603-27dbfa1b","signature_type":"Function","signature_version":"v1","deprecated":false},{"digest":{"function_hash":"63303990667448414431624506292711823034","length":187},"target":{"function":"ossl_dsa_check_priv_key","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397","id":"CVE-2024-4603-287eb402","signature_type":"Function","signature_version":"v1","deprecated":false},{"target":{"function":"ossl_dsa_check_pairwise","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e","signature_type":"Function","id":"CVE-2024-4603-302cbd02","digest":{"function_hash":"236650307775533617446147756765254676295","length":521},"signature_version":"v1","deprecated":false},{"target":{"function":"ossl_dsa_check_pairwise","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d","signature_type":"Function","id":"CVE-2024-4603-32202760","digest":{"function_hash":"236650307775533617446147756765254676295","length":521},"signature_version":"v1","deprecated":false},{"target":{"function":"ossl_dsa_check_params","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740","signature_type":"Function","id":"CVE-2024-4603-4187310f","digest":{"function_hash":"307444583308020639014663628111494753137","length":301},"signature_version":"v1","deprecated":false},{"source":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d","signature_type":"Line","digest":{"line_hashes":["243150946184705416718670416235183356916","180349981022369179925439192885659650714","8106935018977536703215056308323611634","137549371667215865797354773677897919745","178836937939992247904524348378080056735","278097579510097664881660522629381390399","90181849990248972169943799142956395004","74978584338083252776430056065644879326","76169492372411342605408504353923724513","55983040006459865879982821551074916929","326410872419412397963066451556847399168","83139677653707575113776342785214859276","328344147515312161050901724342349399519","12296000804367969784194674287167751474","213080590428735873312882663715853986836","18090696423168841971202238792296069525","249365869365766579695386042359288790320","159149726014041690445969824550432676451","256845625190901066519403965942137550781","131307540412419780483250265659272263156","312611335098158983336659862104821095064","128039915356107327974349445235373709199","32274130780543847983305058081411750891"],"threshold":0.9},"id":"CVE-2024-4603-47776a39","target":{"file":"crypto/dsa/dsa_check.c"},"signature_version":"v1","deprecated":false},{"source":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740","digest":{"function_hash":"236650307775533617446147756765254676295","length":521},"target":{"function":"ossl_dsa_check_pairwise","file":"crypto/dsa/dsa_check.c"},"id":"CVE-2024-4603-4dbed64f","signature_type":"Function","signature_version":"v1","deprecated":false},{"signature_type":"Function","target":{"function":"ossl_dsa_check_params","file":"crypto/dsa/dsa_check.c"},"digest":{"function_hash":"307444583308020639014663628111494753137","length":301},"id":"CVE-2024-4603-6b2b3cbf","source":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397","signature_version":"v1","deprecated":false},{"source":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740","signature_type":"Line","digest":{"line_hashes":["243150946184705416718670416235183356916","180349981022369179925439192885659650714","8106935018977536703215056308323611634","137549371667215865797354773677897919745","178836937939992247904524348378080056735","278097579510097664881660522629381390399","90181849990248972169943799142956395004","74978584338083252776430056065644879326","76169492372411342605408504353923724513","55983040006459865879982821551074916929","326410872419412397963066451556847399168","83139677653707575113776342785214859276","328344147515312161050901724342349399519","12296000804367969784194674287167751474","213080590428735873312882663715853986836","18090696423168841971202238792296069525","249365869365766579695386042359288790320","159149726014041690445969824550432676451","256845625190901066519403965942137550781","131307540412419780483250265659272263156","312611335098158983336659862104821095064","128039915356107327974349445235373709199","32274130780543847983305058081411750891"],"threshold":0.9},"id":"CVE-2024-4603-6f6a722b","target":{"file":"crypto/dsa/dsa_check.c"},"signature_version":"v1","deprecated":false},{"signature_type":"Line","target":{"file":"crypto/dsa/dsa_check.c"},"digest":{"line_hashes":["243150946184705416718670416235183356916","180349981022369179925439192885659650714","8106935018977536703215056308323611634","137549371667215865797354773677897919745","178836937939992247904524348378080056735","278097579510097664881660522629381390399","90181849990248972169943799142956395004","74978584338083252776430056065644879326","76169492372411342605408504353923724513","55983040006459865879982821551074916929","326410872419412397963066451556847399168","83139677653707575113776342785214859276","328344147515312161050901724342349399519","12296000804367969784194674287167751474","213080590428735873312882663715853986836","18090696423168841971202238792296069525","249365869365766579695386042359288790320","159149726014041690445969824550432676451","256845625190901066519403965942137550781","131307540412419780483250265659272263156","312611335098158983336659862104821095064","128039915356107327974349445235373709199","32274130780543847983305058081411750891"],"threshold":0.9},"id":"CVE-2024-4603-768ad877","source":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e","signature_version":"v1","deprecated":false},{"source":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e","digest":{"function_hash":"63303990667448414431624506292711823034","length":187},"target":{"function":"ossl_dsa_check_priv_key","file":"crypto/dsa/dsa_check.c"},"id":"CVE-2024-4603-80202d0f","signature_type":"Function","signature_version":"v1","deprecated":false},{"signature_type":"Function","target":{"function":"ossl_dsa_check_pub_key","file":"crypto/dsa/dsa_check.c"},"digest":{"function_hash":"219663322568032758739344610759529853203","length":152},"id":"CVE-2024-4603-98fe2189","source":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397","signature_version":"v1","deprecated":false},{"signature_type":"Function","target":{"function":"ossl_dsa_check_pub_key_partial","file":"crypto/dsa/dsa_check.c"},"digest":{"function_hash":"219663322568032758739344610759529853203","length":152},"id":"CVE-2024-4603-9aa2870f","source":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397","signature_version":"v1","deprecated":false},{"target":{"function":"ossl_dsa_check_pub_key_partial","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e","signature_type":"Function","id":"CVE-2024-4603-a4ba5364","digest":{"function_hash":"219663322568032758739344610759529853203","length":152},"signature_version":"v1","deprecated":false},{"target":{"function":"ossl_dsa_check_priv_key","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740","signature_type":"Function","id":"CVE-2024-4603-a5c9e065","digest":{"function_hash":"63303990667448414431624506292711823034","length":187},"signature_version":"v1","deprecated":false},{"source":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740","digest":{"function_hash":"219663322568032758739344610759529853203","length":152},"target":{"function":"ossl_dsa_check_pub_key_partial","file":"crypto/dsa/dsa_check.c"},"id":"CVE-2024-4603-b1dd08ad","signature_type":"Function","signature_version":"v1","deprecated":false},{"source":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e","digest":{"function_hash":"219663322568032758739344610759529853203","length":152},"target":{"function":"ossl_dsa_check_pub_key","file":"crypto/dsa/dsa_check.c"},"id":"CVE-2024-4603-c032044a","signature_type":"Function","signature_version":"v1","deprecated":false},{"target":{"function":"ossl_dsa_check_pairwise","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397","signature_type":"Function","id":"CVE-2024-4603-c2f70c2e","digest":{"function_hash":"236650307775533617446147756765254676295","length":521},"signature_version":"v1","deprecated":false},{"signature_type":"Function","target":{"function":"ossl_dsa_check_pub_key","file":"crypto/dsa/dsa_check.c"},"digest":{"function_hash":"219663322568032758739344610759529853203","length":152},"id":"CVE-2024-4603-c98162c3","source":"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740","signature_version":"v1","deprecated":false},{"signature_type":"Line","target":{"file":"crypto/dsa/dsa_check.c"},"digest":{"line_hashes":["243150946184705416718670416235183356916","180349981022369179925439192885659650714","8106935018977536703215056308323611634","137549371667215865797354773677897919745","178836937939992247904524348378080056735","278097579510097664881660522629381390399","90181849990248972169943799142956395004","74978584338083252776430056065644879326","76169492372411342605408504353923724513","55983040006459865879982821551074916929","326410872419412397963066451556847399168","83139677653707575113776342785214859276","328344147515312161050901724342349399519","12296000804367969784194674287167751474","213080590428735873312882663715853986836","18090696423168841971202238792296069525","249365869365766579695386042359288790320","159149726014041690445969824550432676451","256845625190901066519403965942137550781","131307540412419780483250265659272263156","312611335098158983336659862104821095064","128039915356107327974349445235373709199","32274130780543847983305058081411750891"],"threshold":0.9},"id":"CVE-2024-4603-cb9b89a3","source":"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397","signature_version":"v1","deprecated":false},{"source":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d","signature_type":"Function","digest":{"function_hash":"63303990667448414431624506292711823034","length":187},"id":"CVE-2024-4603-de0add79","target":{"function":"ossl_dsa_check_priv_key","file":"crypto/dsa/dsa_check.c"},"signature_version":"v1","deprecated":false},{"target":{"function":"ossl_dsa_check_pub_key_partial","file":"crypto/dsa/dsa_check.c"},"source":"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d","signature_type":"Function","id":"CVE-2024-4603-defd9f3b","digest":{"function_hash":"219663322568032758739344610759529853203","length":152},"signature_version":"v1","deprecated":false},{"signature_type":"Function","target":{"function":"ossl_dsa_check_params","file":"crypto/dsa/dsa_check.c"},"digest":{"function_hash":"307444583308020639014663628111494753137","length":301},"id":"CVE-2024-4603-e6a5924e","source":"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e","signature_version":"v1","deprecated":false}],"vanir_signatures_modified":"2026-04-12T10:53:12Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4603.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}