CVE-2022-2097

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.1.1 through 1.1.1p OpenSSL versions 3.0.0 through 3.0.4 MySQL Server versions 5.7.39 and earlier MySQL Server versions 8.0.30 and earlier

Description The AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation does not encrypt the entirety of the data under some circumstances, potentially revealing sixteen bytes of preexisting data in memory that was not written. In the special case of "in place" encryption, sixteen bytes of the plaintext could be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

Recommendations For OpenSSL versions 1.1.1 through 1.1.1p, update to version 1.1.1q. For OpenSSL versions 3.0.0 through 3.0.4, update to version 3.0.5. For MySQL Server versions 5.7.39 and earlier, update to a version later than 5.7.39. For MySQL Server versions 8.0.30 and earlier, update to a version later than 8.0.30. As a temporary workaround, consider disabling the AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation until a patch is available.