CVE-2023-1255: 
Node.js vulnerability analysis and mitigation

The vulnerability (CVE-2023-1255) affects the AES-XTS cipher decryption implementation for 64-bit ARM platforms in OpenSSL. The issue was discovered by Anton Romanov from Amazon and affects OpenSSL versions 3.1.0 prior to 3.1.1 and 3.0.0 prior to 3.0.9. The vulnerability was disclosed and patched in April 2023 (NVD).

The vulnerability occurs when processing buffer sizes that are 4 mod 5 during AES-XTS decryption operations on ARM 64-bit platforms. The implementation contains a bug that could cause it to read past the input buffer boundaries. The vulnerability has been assigned a CVSS base score of 5.9 (Medium) with the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

If successfully exploited, this vulnerability could trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. The primary impact is potential Denial of Service (DoS). However, if the memory after the buffer is mapped, the overread is considered harmless (OpenSSL Commit).

The vulnerability has been fixed in OpenSSL versions 3.0.9 and 3.1.1. Users are advised to upgrade to these or later versions to address the issue. The fix involves modifying the AES-XTS cipher decryption implementation to prevent buffer overread conditions (OpenSSL Commit).