What is CVE-2023-5363?

CVE-2023-5363 is a high-severity vulnerability affecting OpenSSL this is due to a bug in the processing of key and initialization vector (IV) lengths, which can lead to potential truncation or overruns during the initialization of some symmetric ciphers. Systems impacted include OpenSSL versions and specific firmware versions of NetApp storage systems. The vulnerability can result in the disclosure of sensitive information on affected systems.

Who is impacted by CVE-2023-5363?

If you're using OpenSSL versions 3.0.0 to 3.0.12 or 3.1.0 to 3.1.4, Debian Linux version 12.0, or certain NetApp firmware versions, you might be affected by the this vulnerability. As a result, sensitive information on affected systems could be disclosed.

What should I do if I’m affected?

If you're affected by the CVE-2023-5363 vulnerability, it's important to take action to protect your system. Upgrade OpenSSL 3.0 users to version 3.0.12 Upgrade OpenSSL 3.1 users to version 3.1.4 Monitor vendor advisories for updates and patches. Contact technical support if needed

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-5363 vulnerability, also known as Incorrect cipher key & IV length processing, is not listed in CISA's Known Exploited Vulnerabilities Catalog. The date it was added and any due date are not available from the provided sources. To address this vulnerability, users of OpenSSL 3.0 should upgrade to version 3.0.12, and users of OpenSSL 3.1 should upgrade to version 3.1.4.

Weakness Enumeration

The weakness enumeration for this vulnerability is "Insufficient Information" CWE-ID: NVD-CWE-noinfo, indicating a lack of specific details about the vulnerability and its mitigation.

Learn More

For a comprehensive understanding of the vulnerability, its impact, and remediation steps, refer to the NVD page and the sources listed below.

• OpenSSL Security Advisory

• NetApp Product Security