CVE-2023-39533: 
CBL Mariner vulnerability analysis and mitigation

CVE-2023-39533 affects go-libp2p, the Go implementation of the libp2p Networking Stack. The vulnerability was discovered in versions prior to 0.27.8, 0.28.2, and 0.29.1, where malicious peers could exploit large RSA keys to conduct resource exhaustion attacks during the Noise handshake and libp2p x509 extension verification step (GHSA Advisory).

The vulnerability allows attackers to force nodes to spend excessive time verifying signatures of large RSA keys. The issue is present in the core/crypto module of go-libp2p and can occur during both the Noise handshake and the libp2p x509 extension verification step. The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability enables resource exhaustion attacks where malicious peers can force nodes to expend significant computational resources by presenting large RSA keys for verification. This can potentially lead to denial of service conditions as affected nodes spend excessive time performing signature verification (GHSA Advisory).

To mitigate this vulnerability, users should upgrade to go-libp2p versions >= v0.27.8, >= v0.28.2, or >= v0.29.1. Additionally, it is necessary to use the updated Go compiler versions 1.20.7 or 1.19.12. The fix implements a restriction on RSA keys to <= 8192 bits. There are no known workarounds for this issue (GHSA Advisory).