Alpine: openssl: security update to 3.0.13-r0

medium Tenable Cloud Security Plugin ID 408412

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary:
Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA
public key or DSA parameters may experience long delays. Where the key or parameters that are being
checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions
EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those
computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large
modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in
length for signature verification. However the key and parameter check functions do not limit the modulus
size when performing the checks. An application that calls EVP_PKEY_param_check() or
EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted
DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are
the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL
SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected
by this issue. (CVE-2024-4603)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-4603

Plugin Details

Severity: Medium

ID: 408412

Version: Revision 1.25

Type: Local

Published: 5/20/2024

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2024-4603

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/16/2024

Reference Information

CVE: CVE-2024-4603