/

CVE-2023-2975 Report - Details, Severity, & Advisories

CVE-2023-2975 Report - Details, Severity, & Advisories

Twingate Team

Jun 6, 2024

What is CVE-2023-2975?

CVE-2023-2975 is a security vulnerability with a medium severity level that affects the AES-SIV cipher implementation in OpenSSL. The vulnerability occurs when the implementation ignores empty associated data entries, causing them to be unauthenticated.

Who is impacted by CVE-2023-2975?

The affected versions include OpenSSL 3.0.0 to 3.0.9 and 3.1.0 to 3.1.1. It's important to note that the FIPS provider is not affected, and neither are OpenSSL versions 1.1.1 and 1.0.2. However, the impact is considered low as it does not affect non-empty associated data authentication and is expected to be rare for an application to use empty associated data entries.

What should I do if I’m affected?

If you're affected by the CVE-2023-2975 vulnerability, it's important to monitor the OpenSSL project for the next releases containing the fix. Due to its low severity, new releases are not being issued immediately. However, you can apply the fix available in commit 6a83f0c9 (for 3.1) and commit 00e2f5ee (for 3.0) in the OpenSSL git repository if necessary and feasible for your specific use case.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

CVE-2023-2975 is not listed in CISA's Known Exploited Vulnerabilities Catalog. The vulnerability, named AES-SIV implementation ignores empty associated data entries, was published on July 14, 2023. There is no specific due date or required action mentioned, but users are advised to monitor the OpenSSL project for the next releases containing the fix.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-287, which refers to improper authentication in the AES-SIV cipher implementation.

Learn More

For a comprehensive understanding of the issue, its impact, and potential solutions, refer to the NVD page and the sources listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2023-2975 Report - Details, Severity, & Advisories

CVE-2023-2975 Report - Details, Severity, & Advisories

Twingate Team

Jun 6, 2024

What is CVE-2023-2975?

CVE-2023-2975 is a security vulnerability with a medium severity level that affects the AES-SIV cipher implementation in OpenSSL. The vulnerability occurs when the implementation ignores empty associated data entries, causing them to be unauthenticated.

Who is impacted by CVE-2023-2975?

The affected versions include OpenSSL 3.0.0 to 3.0.9 and 3.1.0 to 3.1.1. It's important to note that the FIPS provider is not affected, and neither are OpenSSL versions 1.1.1 and 1.0.2. However, the impact is considered low as it does not affect non-empty associated data authentication and is expected to be rare for an application to use empty associated data entries.

What should I do if I’m affected?

If you're affected by the CVE-2023-2975 vulnerability, it's important to monitor the OpenSSL project for the next releases containing the fix. Due to its low severity, new releases are not being issued immediately. However, you can apply the fix available in commit 6a83f0c9 (for 3.1) and commit 00e2f5ee (for 3.0) in the OpenSSL git repository if necessary and feasible for your specific use case.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

CVE-2023-2975 is not listed in CISA's Known Exploited Vulnerabilities Catalog. The vulnerability, named AES-SIV implementation ignores empty associated data entries, was published on July 14, 2023. There is no specific due date or required action mentioned, but users are advised to monitor the OpenSSL project for the next releases containing the fix.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-287, which refers to improper authentication in the AES-SIV cipher implementation.

Learn More

For a comprehensive understanding of the issue, its impact, and potential solutions, refer to the NVD page and the sources listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2023-2975 Report - Details, Severity, & Advisories

Twingate Team

Jun 6, 2024

What is CVE-2023-2975?

CVE-2023-2975 is a security vulnerability with a medium severity level that affects the AES-SIV cipher implementation in OpenSSL. The vulnerability occurs when the implementation ignores empty associated data entries, causing them to be unauthenticated.

Who is impacted by CVE-2023-2975?

The affected versions include OpenSSL 3.0.0 to 3.0.9 and 3.1.0 to 3.1.1. It's important to note that the FIPS provider is not affected, and neither are OpenSSL versions 1.1.1 and 1.0.2. However, the impact is considered low as it does not affect non-empty associated data authentication and is expected to be rare for an application to use empty associated data entries.

What should I do if I’m affected?

If you're affected by the CVE-2023-2975 vulnerability, it's important to monitor the OpenSSL project for the next releases containing the fix. Due to its low severity, new releases are not being issued immediately. However, you can apply the fix available in commit 6a83f0c9 (for 3.1) and commit 00e2f5ee (for 3.0) in the OpenSSL git repository if necessary and feasible for your specific use case.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

CVE-2023-2975 is not listed in CISA's Known Exploited Vulnerabilities Catalog. The vulnerability, named AES-SIV implementation ignores empty associated data entries, was published on July 14, 2023. There is no specific due date or required action mentioned, but users are advised to monitor the OpenSSL project for the next releases containing the fix.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-287, which refers to improper authentication in the AES-SIV cipher implementation.

Learn More

For a comprehensive understanding of the issue, its impact, and potential solutions, refer to the NVD page and the sources listed below.