CVE-2022-2097: 
MySQL vulnerability analysis and mitigation

CVE-2022-2097 affects AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation in OpenSSL versions 1.1.1-1.1.1p and 3.0.0-3.0.4. The vulnerability was discovered on June 15, 2022, and publicly disclosed on July 5, 2022. The issue was fixed in OpenSSL versions 1.1.1q and 3.0.5 (OpenSSL Advisory).

The vulnerability occurs when the AES-NI assembly optimized implementation fails to encrypt the entirety of the data under certain circumstances. This could expose sixteen bytes of data that was preexisting in the memory that wasn't written. In cases of 'in place' encryption, sixteen bytes of the plaintext would be revealed. The vulnerability has been assigned a CVSS score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability could lead to information disclosure by revealing sixteen bytes of sensitive data that was present in memory or, in the case of in-place encryption, exposing sixteen bytes of plaintext. However, since OpenSSL does not support OCB based cipher suites for TLS and DTLS, these protocols are unaffected (OpenSSL Advisory).

The vulnerability has been fixed in OpenSSL versions 1.1.1q and 3.0.5. Users are advised to upgrade to these versions or later. The fix was developed by Alex Chernyakhovsky, David Benjamin, and Alejandro Sedeño from Google (OpenSSL Advisory).