CVE-2023-2975
AES-SIV implementation ignores empty associated data entries
Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be mislead by removing adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.
We have discovered 30,487 live websites that are affected by CVE-2023-2975.
Affected Software
| Product |  OpenSSL |
| Category | Web Server Extensions |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 30 |
| Vulnerable Domains | 30,487 live websites (2.80% of OpenSSL install base) |
Details
- Published - Jul 14, 2023
- Updated - Jul 14, 2023
Credits
- Juerg Wullschleger (Google) (reporter)
- Tomas Mraz (remediation developer)
CVE References
CWE References
Countries
 United States | 9,520 websites |
 Germany | 3,585 websites |
 France | 1,987 websites |
 Japan | 1,310 websites |
 GB | 1,225 websites |
 Italy | 934 websites |
 Finland | 883 websites |
 Czech Republic | 843 websites |
 Netherlands | 834 websites |
 Taiwan | 775 websites |
TLDs
| .com | 10,208 websites |
| .de | 2,481 websites |
| .org | 1,945 websites |
| .net | 1,449 websites |
| .edu | 1,121 websites |
| .fr | 915 websites |
| .fi | 734 websites |
| .co.uk | 718 websites |
| .it | 696 websites |
| .cz | 669 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redReferences
- https://www.openssl.org/news/secadv/20230714.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598
- http://www.openwall.com/lists/oss-security/2023/07/15/1
- http://www.openwall.com/lists/oss-security/2023/07/19/5
- https://security.netapp.com/advisory/ntap-20230725-0004/
- https://security.gentoo.org/glsa/202402-08
Websites affected by CVE-2023-2975
Top websites that are affected by CVE-2023-2975. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.***********.com | United States | *,*** | |
| ******.org | United States | *,*** | |
| ***.******.org | United States | *,*** | |
| ****.******.org | United States | *,*** | |
| ****.org | United States | *,*** | |
| ***.****.org | United States | *,*** | |
| *******.com | United States | *,*** | |
| ***********.org | United States | *,*** | |
| ***.net |  Singapore | *,*** | |
| ********.org | Germany | *,*** |