Bernd Edlinger

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** The POLY1305 MAC implementation in OpenSSL contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86 64 processors supporting the AVX512-IFMA instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application-dependent consequences. The consequences of this kind of internal application state corruption can be various, from no consequences to the worst consequences, where the attacker could get complete control of the application process. However, given the contents of the registers are just zeroized, the most likely consequence would be an incorrect result of some application-dependent calculations or a crash leading to a denial of service. **Recommendations** As a workaround, the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL ia32cap: OPENSSL ia32cap=:~0x200000 At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 3.0 OpenSSL versions prior to 3.1 **Description** The issue is related to the functions `DH check()`, `DH check ex()`, and `EVP PKEY param check()` in the OpenSSL library. These functions can cause excessive delays when checking excessively long DH keys or parameters, potentially leading to a Denial of Service attack if the key or parameters are obtained from an untrusted source. The `DH check()` function performs various checks on DH parameters, and a large `q` parameter value can trigger an overly long computation during some of these checks. The OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. **Recommendations** For OpenSSL versions prior to 3.0, update to version 3.0 or later to resolve the issue. For OpenSSL versions prior to 3.1, update to version 3.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `DH check()`, `DH check ex()`, and `EVP PKEY param check()` functions to minimize the risk of exploitation. Avoid using the `dhparam` and `pkeyparam` command line applications with the "-check" option until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.2 through 1.0.2zb OpenSSL versions 1.1.1 through 1.1.1l OpenSSL version 3.0.0 **Description** The issue is related to a carry propagation bug in the MIPS32 and MIPS64 squaring procedure of the OpenSSL library, which can lead to the compromise of elliptic curve algorithms, including some of the TLS 1.3 default curves. This bug may allow a remote attacker to disclose protected information, particularly if private keys are reused. However, the prerequisites for an attack are considered unlikely, and the impact was not analyzed in detail. The amount of resources required for such an attack would be significant. **Recommendations** For OpenSSL versions 1.0.2 through 1.0.2zb, update to version 1.0.2zc or apply the fix from git commit 6fc1aaaf3. For OpenSSL versions 1.1.1 through 1.1.1l, update to version 1.1.1m. For OpenSSL version 3.0.0, update to version 3.0.1.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.1.1d through 1.1.1f MySQL Server versions 5.6.48 and earlier, 5.7.30 and earlier, 8.0.20 and earlier **Description** The issue is related to the incorrect handling of the "signature algorithms cert" TLS extension, which can cause a NULL pointer dereference and lead to a crash during or after a TLS 1.3 handshake. This could be exploited by a malicious peer in a Denial of Service attack. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. **Recommendations** For OpenSSL versions 1.1.1d through 1.1.1f, update to OpenSSL 1.1.1g to fix the issue. For MySQL Server versions 5.6.48 and earlier, 5.7.30 and earlier, 8.0.20 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the `SSL check chain()` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `signature algorithms cert` TLS extension in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.2 through 1.0.2s OpenSSL versions 1.1.0 through 1.1.0k OpenSSL versions 1.1.1 through 1.1.1c **Description** The issue is related to a padding oracle attack in the `PKCS7 dataDecode` and `CMS decrypt set1 pkey` functions, allowing an attacker to recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key. This can be achieved by sending a large number of messages to be decrypted. Applications using a certificate together with the private RSA key to select the correct recipient info to decrypt are not affected. **Recommendations** For OpenSSL versions 1.0.2 through 1.0.2s, update to version 1.0.2t. For OpenSSL versions 1.1.0 through 1.1.0k, update to version 1.1.0l. For OpenSSL versions 1.1.1 through 1.1.1c, update to version 1.1.1d.