CVE-2023-5363: 
MySQL vulnerability analysis and mitigation

CVE-2023-5363 is a vulnerability in OpenSSL's processing of key and initialization vector (IV) lengths, discovered on September 21, 2023. The bug affects OpenSSL versions 3.0 and 3.1, potentially leading to truncation or overruns during the initialization of symmetric ciphers. The vulnerability was assigned a CVSS score of 7.5 (HIGH) (NVD, OpenSSL Advisory).

The vulnerability occurs when calling EVPEncryptInitex2(), EVPDecryptInitex2() or EVPCipherInitex2() functions, where the OSSL_PARAM array is processed after key and IV establishment. This affects the following ciphers and modes: RC2, RC4, RC5, CCM, GCM, and OCB. The issue manifests when modifying key length ('keylen' parameter) or IV length ('ivlen' parameter), causing unintended truncation or overreading of values (OpenSSL Advisory).

The primary impact is potential loss of confidentiality for certain cipher modes, particularly CCM, GCM, and OCB. When following NIST's SP 800-38D section 8.2.1 guidance for constructing deterministic IV in AES-GCM mode, truncation of the counter portion could lead to IV reuse. Both key/IV truncations and overruns produce incorrect results and may trigger memory exceptions (OpenSSL Advisory).

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.12, while OpenSSL 3.1 users should upgrade to OpenSSL 3.1.4. The OpenSSL SSL/TLS implementation is not affected by this issue. Additionally, the OpenSSL 3.0 and 3.1 FIPS providers are not affected as the issue lies outside of the FIPS provider boundary (OpenSSL Advisory).