CVE-2023-6129: 
MySQL vulnerability analysis and mitigation

The POLY1305 MAC (message authentication code) implementation in OpenSSL contains a vulnerability (CVE-2023-6129) affecting PowerPC CPU based platforms with vector instructions. The vulnerability was discovered on October 9th, 2023 and affects OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4, and 3.2.0. The FIPS provider is not affected as it does not implement the POLY1305 MAC algorithm (OpenSSL Advisory).

The vulnerability occurs because the POLY1305 MAC implementation for PowerPC CPUs restores vector registers in a different order than they are saved, leading to corruption of some vector register contents when returning to the caller. This issue only affects newer PowerPC processors that support PowerISA 2.07 instructions. The POLY1305 MAC algorithm is primarily used as part of the CHACHA20-POLY1305 AEAD algorithm, commonly used in TLS 1.2 and 1.3. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H) (NVD).

The consequences of this vulnerability can vary depending on the application. If the application doesn't depend on non-volatile XMM register contents, there may be no impact. However, in worst-case scenarios, an attacker could potentially gain complete control of the application process. The most likely outcomes are incorrect calculation results or crashes leading to denial of service. For TLS server applications using OpenSSL, a malicious client can influence whether the vulnerable CHACHA20-POLY1305 AEAD cipher is used (OpenSSL Advisory).

Due to the low severity classification, OpenSSL did not issue immediate new releases. However, fixes have been made available in the OpenSSL git repository through the following commits: commit 5b139f95 (for 3.2), commit f3fc5808 (for 3.1), and commit 050d263 (for 3.0). These fixes will be included in future OpenSSL releases (OpenSSL Advisory).