CVE-2023-6129

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to the fixed version MySQL Server versions 8.0.36 and earlier, 8.3.0 and earlier

Description The POLY1305 MAC implementation in OpenSSL contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various, from no consequences to the worst consequences, where the attacker could get complete control of the application process. However, unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service.

Recommendations For OpenSSL versions prior to the fixed version: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For MySQL Server versions 8.0.36 and earlier, 8.3.0 and earlier: Update to a version that is not affected by this issue. As a temporary workaround, consider disabling the use of the POLY1305 MAC algorithm until a patch is available. Restrict access to the vulnerable code to minimize the risk of exploitation. Avoid using the CHACHA20-POLY1305 AEAD cipher with TLS protocol versions 1.2 and 1.3 until the issue is resolved.