csaf_microsoft - msrc

MSRC_CVE-2023-5363

Vulnerability from csaf_microsoft - Published: 2023-10-01 00:00 - Updated: 2024-11-28 00:00

Summary

Incorrect cipher key & IV length processing

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2023-5363 Incorrect cipher key \u0026 IV length processing - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-5363.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Incorrect cipher key \u0026 IV length processing",
    "tracking": {
      "current_release_date": "2024-11-28T00:00:00.000Z",
      "generator": {
        "date": "2025-10-20T00:44:26.428Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2023-5363",
      "initial_release_date": "2023-10-01T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-10-31T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2024-07-13T00:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Information published."
        },
        {
          "date": "2024-08-29T00:00:00.000Z",
          "legacy_version": "1.2",
          "number": "3",
          "summary": "Information published."
        },
        {
          "date": "2024-08-30T00:00:00.000Z",
          "legacy_version": "1.3",
          "number": "4",
          "summary": "Information published."
        },
        {
          "date": "2024-08-31T00:00:00.000Z",
          "legacy_version": "1.4",
          "number": "5",
          "summary": "Information published."
        },
        {
          "date": "2024-09-01T00:00:00.000Z",
          "legacy_version": "1.5",
          "number": "6",
          "summary": "Information published."
        },
        {
          "date": "2024-09-02T00:00:00.000Z",
          "legacy_version": "1.6",
          "number": "7",
          "summary": "Information published."
        },
        {
          "date": "2024-09-03T00:00:00.000Z",
          "legacy_version": "1.7",
          "number": "8",
          "summary": "Information published."
        },
        {
          "date": "2024-09-05T00:00:00.000Z",
          "legacy_version": "1.8",
          "number": "9",
          "summary": "Information published."
        },
        {
          "date": "2024-09-06T00:00:00.000Z",
          "legacy_version": "1.9",
          "number": "10",
          "summary": "Information published."
        },
        {
          "date": "2024-09-07T00:00:00.000Z",
          "legacy_version": "2",
          "number": "11",
          "summary": "Information published."
        },
        {
          "date": "2024-09-08T00:00:00.000Z",
          "legacy_version": "2.1",
          "number": "12",
          "summary": "Information published."
        },
        {
          "date": "2024-09-11T00:00:00.000Z",
          "legacy_version": "2.2",
          "number": "13",
          "summary": "Information published."
        },
        {
          "date": "2024-11-28T00:00:00.000Z",
          "legacy_version": "2.3",
          "number": "14",
          "summary": "Added hvloader to CBL-Mariner 2.0\nAdded cloud-hypervisor-cvm to CBL-Mariner 2.0\nAdded nodejs18 to CBL-Mariner 2.0\nAdded cloud-hypervisor-cvm to Azure Linux 3.0"
        }
      ],
      "status": "final",
      "version": "14"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              },
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 cloud-hypervisor-cvm 38.0.72-1",
                "product": {
                  "name": "\u003ccbl2 cloud-hypervisor-cvm 38.0.72-1",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 cloud-hypervisor-cvm 38.0.72-1",
                "product": {
                  "name": "cbl2 cloud-hypervisor-cvm 38.0.72-1",
                  "product_id": "19801"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 cloud-hypervisor-cvm 38.0.72-2",
                "product": {
                  "name": "\u003cazl3 cloud-hypervisor-cvm 38.0.72-2",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 cloud-hypervisor-cvm 38.0.72-2",
                "product": {
                  "name": "azl3 cloud-hypervisor-cvm 38.0.72-2",
                  "product_id": "19807"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 cloud-hypervisor-cvm 38.0.72.2-1",
                "product": {
                  "name": "\u003ccbl2 cloud-hypervisor-cvm 38.0.72.2-1",
                  "product_id": "6"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 cloud-hypervisor-cvm 38.0.72.2-1",
                "product": {
                  "name": "cbl2 cloud-hypervisor-cvm 38.0.72.2-1",
                  "product_id": "16977"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 cloud-hypervisor-cvm 38.0.72.2-1",
                "product": {
                  "name": "\u003cazl3 cloud-hypervisor-cvm 38.0.72.2-1",
                  "product_id": "5"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 cloud-hypervisor-cvm 38.0.72.2-1",
                "product": {
                  "name": "azl3 cloud-hypervisor-cvm 38.0.72.2-1",
                  "product_id": "16982"
                }
              }
            ],
            "category": "product_name",
            "name": "cloud-hypervisor-cvm"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 hvloader 1.0.1-5",
                "product": {
                  "name": "\u003ccbl2 hvloader 1.0.1-5",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 hvloader 1.0.1-5",
                "product": {
                  "name": "cbl2 hvloader 1.0.1-5",
                  "product_id": "19809"
                }
              }
            ],
            "category": "product_name",
            "name": "hvloader"
          },
          {
            "category": "product_name",
            "name": "azl3 qemu 8.2.0-16",
            "product": {
              "name": "azl3 qemu 8.2.0-16",
              "product_id": "4"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 cloud-hypervisor-cvm 38.0.72-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 cloud-hypervisor-cvm 38.0.72-1 as a component of CBL Mariner 2.0",
          "product_id": "19801-17086"
        },
        "product_reference": "19801",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 cloud-hypervisor-cvm 38.0.72-2 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 cloud-hypervisor-cvm 38.0.72-2 as a component of Azure Linux 3.0",
          "product_id": "19807-17084"
        },
        "product_reference": "19807",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 qemu 8.2.0-16 as a component of Azure Linux 3.0",
          "product_id": "17084-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 cloud-hypervisor-cvm 38.0.72.2-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 cloud-hypervisor-cvm 38.0.72.2-1 as a component of CBL Mariner 2.0",
          "product_id": "16977-17086"
        },
        "product_reference": "16977",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 cloud-hypervisor-cvm 38.0.72.2-1 as a component of Azure Linux 3.0",
          "product_id": "17084-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 cloud-hypervisor-cvm 38.0.72.2-1 as a component of Azure Linux 3.0",
          "product_id": "16982-17084"
        },
        "product_reference": "16982",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 hvloader 1.0.1-5 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 hvloader 1.0.1-5 as a component of CBL Mariner 2.0",
          "product_id": "19809-17086"
        },
        "product_reference": "19809",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-5363",
      "cwe": {
        "id": "CWE-684",
        "name": "Incorrect Provision of Specified Functionality"
      },
      "flags": [
        {
          "label": "component_not_present",
          "product_ids": [
            "17084-4"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "openssl",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "19801-17086",
          "19807-17084",
          "16977-17086",
          "16982-17084",
          "19809-17086"
        ],
        "known_affected": [
          "17086-3",
          "17084-2",
          "17086-6",
          "17084-5",
          "17086-1"
        ],
        "known_not_affected": [
          "17084-4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-5363 Incorrect cipher key \u0026 IV length processing - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-5363.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-31T00:00:00.000Z",
          "details": "38.0.72.2-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-3",
            "17084-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2023-10-31T00:00:00.000Z",
          "details": "-:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-6",
            "17084-5"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2023-10-31T00:00:00.000Z",
          "details": "1.0.1-6:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "17086-3",
            "17084-2",
            "17086-6",
            "17084-5",
            "17086-1"
          ]
        }
      ],
      "title": "Incorrect cipher key \u0026 IV length processing"
    }
  ]
}

CVE-2023-5363 (GCVE-0-2023-5363)

Vulnerability from cvelistv5 – Published: 2023-10-24 15:31 – Updated: 2025-12-02 19:49

Summary

Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue.

Severity ?

No CVSS data available.

CWE

CWE-684 - Incorrect Provision of Specified Functionality

Assigner

openssl

References

URL

Tags

	https://www.openssl.org/news/secadv/20231024.txt	vendor-advisory
	https://git.openssl.org/gitweb/?p=openssl.git;a=c…	patch
	https://git.openssl.org/gitweb/?p=openssl.git;a=c…	patch

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Affected: 3.0.0 , < 3.0.12 (semver) Affected: 3.1.0 , < 3.1.4 (semver)

Credits

Tony Battersby (Cybernetics) Dr Paul Dale

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:50:37.158Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "OpenSSL Advisory",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20231024.txt"
          },
          {
            "name": "3.1.4 git commit",
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee"
          },
          {
            "name": "3.0.12 git commit",
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5532"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231027-0010/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240201-0003/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240201-0004/"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-5363",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-03T19:15:36.625641Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T19:49:14.914Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "3.0.12",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.1.4",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Tony Battersby (Cybernetics)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Dr Paul Dale"
        }
      ],
      "datePublic": "2023-10-24T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: A bug has been identified in the processing of key and\u003cbr\u003einitialisation vector (IV) lengths.  This can lead to potential truncation\u003cbr\u003eor overruns during the initialisation of some symmetric ciphers.\u003cbr\u003e\u003cbr\u003eImpact summary: A truncation in the IV can result in non-uniqueness,\u003cbr\u003ewhich could result in loss of confidentiality for some cipher modes.\u003cbr\u003e\u003cbr\u003eWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\u003cbr\u003eEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\u003cbr\u003ethe key and IV have been established.  Any alterations to the key length,\u003cbr\u003evia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\u003cbr\u003ewithin the OSSL_PARAM array will not take effect as intended, potentially\u003cbr\u003ecausing truncation or overreading of these values.  The following ciphers\u003cbr\u003eand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\u003cbr\u003e\u003cbr\u003eFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\u003cbr\u003eloss of confidentiality.  For example, when following NIST\u0027s SP 800-38D\u003cbr\u003esection 8.2.1 guidance for constructing a deterministic IV for AES in\u003cbr\u003eGCM mode, truncation of the counter portion could lead to IV reuse.\u003cbr\u003e\u003cbr\u003eBoth truncations and overruns of the key and overruns of the IV will\u003cbr\u003eproduce incorrect results and could, in some cases, trigger a memory\u003cbr\u003eexception.  However, these issues are not currently assessed as security\u003cbr\u003ecritical.\u003cbr\u003e\u003cbr\u003eChanging the key and/or IV lengths is not considered to be a common operation\u003cbr\u003eand the vulnerable API was recently introduced. Furthermore it is likely that\u003cbr\u003eapplication developers will have spotted this problem during testing since\u003cbr\u003edecryption would fail unless both peers in the communication were similarly\u003cbr\u003evulnerable. For these reasons we expect the probability of an application being\u003cbr\u003evulnerable to this to be quite low. However if an application is vulnerable then\u003cbr\u003ethis issue is considered very serious. For these reasons we have assessed this\u003cbr\u003eissue as Moderate severity overall.\u003cbr\u003e\u003cbr\u003eThe OpenSSL SSL/TLS implementation is not affected by this issue.\u003cbr\u003e\u003cbr\u003eThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\u003cbr\u003ethe issue lies outside of the FIPS provider boundary.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.1 and 3.0 are vulnerable to this issue."
            }
          ],
          "value": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths.  This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established.  Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values.  The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality.  For example, when following NIST\u0027s SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception.  However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "MODERATE"
            },
            "type": "https://www.openssl.org/policies/secpolicy.html"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-684",
              "description": "CWE-684 Incorrect Provision of Specified Functionality",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-14T14:55:52.132Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.openssl.org/news/secadv/20231024.txt"
        },
        {
          "name": "3.1.4 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee"
        },
        {
          "name": "3.0.12 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Incorrect cipher key \u0026 IV length processing",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2023-5363",
    "datePublished": "2023-10-24T15:31:40.890Z",
    "dateReserved": "2023-10-03T16:19:46.060Z",
    "dateUpdated": "2025-12-02T19:49:14.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2023-5363

CVE-2023-5363 (GCVE-0-2023-5363)

Tags

Sightings

Nomenclature