Juerg Wullschleger

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** The AES-SIV cipher implementation in OpenSSL contains a bug that causes it to ignore empty associated data entries, which are unauthenticated as a consequence. This issue can mislead applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data by removing, adding, or reordering such empty entries. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data, the application has to call `EVP EncryptUpdate()` (or `EVP CipherUpdate()`) with a NULL pointer as the output buffer and 0 as the input buffer length. However, the AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. This issue does not affect non-empty associated data authentication, and it is expected to be rare for an application to use empty associated data entries. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.