CVE-2023-2650: 
MySQL vulnerability analysis and mitigation

CVE-2023-2650 is a moderate severity vulnerability discovered in OpenSSL that affects the processing of ASN.1 object identifiers. The vulnerability was first detected by OSSfuzz on January 16, 2020, but was not identified as a security concern until April 23, 2023, when Matt Caswell re-examined the issue. The vulnerability affects OpenSSL versions 3.0.x and 3.1.x, with limited impact on versions 1.1.1 and 1.0.2 (OpenSSL Advisory).

The vulnerability occurs in the OBJ_obj2txt() function when translating ASN.1 OBJECT IDENTIFIERs to canonical numeric text form. When processing large sub-identifiers (tens or hundreds of KiBs), the translation becomes extremely slow with a time complexity of O(n^2), where n is the size of the sub-identifiers in bytes. A test measurement showed processing times of about 2 seconds for 100KiB and a minute for 500KiB (OpenSSL Advisory).

Applications using OBJ_obj2txt() directly or OpenSSL subsystems such as OCSP, PKCS7/SMIME, CMS, CMP/CRMF, or TS with no message size limit may experience notable to very long delays when processing specially crafted messages, potentially leading to a Denial of Service. The vulnerability also affects X.509 certificate processing, including signature verification. The impact on TLS is relatively low due to OpenSSL's 100KiB limit on peer certificate chains (OpenSSL Advisory).

OpenSSL has released patches for affected versions: OpenSSL 3.0 users should upgrade to OpenSSL 3.0.9, OpenSSL 3.1 users should upgrade to OpenSSL 3.1.1, OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1u, and OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zh (premium support customers only). The fix implements a size restriction on OBJECT IDENTIFIERs that OBJ_obj2txt() will translate, based on RFC 2578 specifications (OpenSSL Advisory).