CVE-2023-2975

Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

History

14 Oct 2024, 15:15

Type Values Removed Values Added
Summary (en) Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be mislead by removing adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue. (en) Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.
References
  • {'url': 'http://www.openwall.com/lists/oss-security/2023/07/15/1', 'tags': ['Mailing List', 'Third Party Advisory'], 'source': 'openssl-security@openssl.org'}
  • {'url': 'http://www.openwall.com/lists/oss-security/2023/07/19/5', 'tags': ['Mailing List', 'Third Party Advisory'], 'source': 'openssl-security@openssl.org'}
  • {'url': 'https://security.gentoo.org/glsa/202402-08', 'source': 'openssl-security@openssl.org'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20230725-0004/', 'tags': ['Third Party Advisory'], 'source': 'openssl-security@openssl.org'}
CWE CWE-354

04 Feb 2024, 09:15

Type Values Removed Values Added
References
  • () https://security.gentoo.org/glsa/202402-08 -

27 Jul 2023, 13:02

Type Values Removed Values Added
References (MISC) http://www.openwall.com/lists/oss-security/2023/07/15/1 - (MISC) http://www.openwall.com/lists/oss-security/2023/07/15/1 - Mailing List, Third Party Advisory
References (MISC) http://www.openwall.com/lists/oss-security/2023/07/19/5 - (MISC) http://www.openwall.com/lists/oss-security/2023/07/19/5 - Mailing List, Third Party Advisory
References (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc - (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc - Patch
References (MISC) https://www.openssl.org/news/secadv/20230714.txt - (MISC) https://www.openssl.org/news/secadv/20230714.txt - Vendor Advisory
References (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598 - (MISC) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598 - Patch
References (MISC) https://security.netapp.com/advisory/ntap-20230725-0004/ - (MISC) https://security.netapp.com/advisory/ntap-20230725-0004/ - Third Party Advisory
First Time Openssl openssl
Netapp management Services For Element Software And Netapp Hci
Netapp
Openssl
Netapp ontap Select Deploy Administration Utility
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
CWE CWE-287
CPE cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

25 Jul 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20230725-0004/ -

19 Jul 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/07/19/5 -

15 Jul 2023, 13:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/07/15/1 -

14 Jul 2023, 12:47

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-14 12:15

Updated : 2024-10-14 15:15


NVD link : CVE-2023-2975

Mitre link : CVE-2023-2975

CVE.ORG link : CVE-2023-2975


JSON object : View

Products Affected

netapp

  • ontap_select_deploy_administration_utility
  • management_services_for_element_software_and_netapp_hci

openssl

  • openssl
CWE
CWE-287

Improper Authentication

CWE-354

Improper Validation of Integrity Check Value