CVE-2023-2650

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 3.0 OpenSSL versions 3.0 and newer MySQL Server versions 5.7.42 and earlier, 8.0.33 and earlier

Description The issue is related to the processing of specially crafted ASN.1 object identifiers, which can cause significant delays in applications using the OpenSSL library. This can lead to a Denial of Service (DoS) condition. The OBJ obj2txt() function is used to translate an ASN.1 OBJECT IDENTIFIER to its canonical numeric text form, and when dealing with very large sub-identifiers, the translation can take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes. The impact is relatively low on TLS due to the 100KiB limit on the peer's certificate chain. Applications that call OBJ obj2txt() directly with untrusted data are affected, with any version of OpenSSL.

Recommendations For OpenSSL versions prior to 3.0, consider upgrading to a newer version to mitigate the risk. For OpenSSL versions 3.0 and newer, ensure that the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS have message size limits in place to prevent excessive delays. For MySQL Server versions 5.7.42 and earlier, 8.0.33 and earlier, upgrade to a newer version to address the vulnerability. As a temporary workaround, consider disabling the OBJ obj2txt() function or restricting its use with untrusted data until a patch is available.