Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-40735

Published: 14 November 2022

The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.

Notes

AuthorNote
alexmurray
It would appear upstream openssl fixed this in 3.1.0 via
https://github.com/openssl/openssl/pull/18480
mdeslaur
This was backported to 3.0.6 via
https://github.com/openssl/openssl/pull/18793
doesn't affect 1.x

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(3.x only)
focal Not vulnerable
(3.x only)
jammy Not vulnerable
(3.x only)
kinetic Ignored
(end of life, was needs-triage)
lunar Ignored
(end of life, was deferred)
mantic Not vulnerable
(3.x only)
noble Not vulnerable
(contains 3.0.9)
trusty Ignored
(end of standard support)
upstream Needs triage

xenial Not vulnerable
(3.x only)
nodejs
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Not vulnerable
(uses system openssl)
jammy Needed

kinetic Not vulnerable
(uses system openssl)
lunar Not vulnerable
(uses system openssl)
mantic Not vulnerable
(uses system openssl)
noble Not vulnerable
(uses system openssl)
trusty Not vulnerable
(uses system openssl)
upstream Needs triage

xenial Needs triage

openssl
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(3.x only)
focal Not vulnerable
(1.1.1f-1ubuntu2.22)
jammy Needed

kinetic Ignored
(end of life, was needs-triage)
lunar Ignored
(end of life, was needs-triage)
mantic Not vulnerable
(3.0.10-1ubuntu2.3)
noble Not vulnerable
(3.0.13-0ubuntu3)
trusty Not vulnerable
(3.x only)
upstream
Released (3.0.6)
xenial Not vulnerable
(3.x only)
Patches:
upstream: https://github.com/openssl/openssl/commit/8ed6ddcaa559b7b04202c15ea3a95ee0b05caeba
upstream: https://github.com/openssl/openssl/commit/c9bdbc12ac7343992ba249e11d2bda3338469a97
upstream: https://github.com/openssl/openssl/commit/5eac066bef0c23bb74255423d335e634e4deb8d5
upstream: https://github.com/openssl/openssl/commit/ce4579adf94d5f26e566a1e04c8a52ec5943cdd0
openssl1.0
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(3.x only)
focal Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

mantic Does not exist

noble Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H