| # OpenSSL Advisory: November 6th, 2023 |
| |
| OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20231106.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2023-5678 | Excessive time spent in DH check / generation with large Q parameter value | Low | Addressed in previous advisory. See below. |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## CVE-2023-5678 |
| |
| This was one of the issues we discovered in the course of addressing CVE-2023-3446 and CVE-2023-3817. BoringSSL's [original fix](https://boringssl.googlesource.com/boringssl/+/d85444e741b73a77fe4359cd3db189482d4f4806) for those CVEs additionally addressed this issue in August 2023. |
| |
| Per our [August advisory](2023-08-01.md), these issues do not impact our TLS implementation. Although the TLS 1.2 DHE construction did not correctly handle domain parameters, we removed DHE ciphers in [2017](https://boringssl.googlesource.com/boringssl/+/7e06de5d2d1b53c57c0c81e8d6ba4122b64cf626) for [related reasons](https://groups.google.com/a/chromium.org/g/blink-dev/c/AAdv838-koo/m/bJv17voIBAAJ). They additionally do not affect callers that correctly use Diffie-Hellman with trusted domain parameters. |
| |
| As only incorrect uses are impacted, BoringSSL considers these changes to be a hardening measure, not a security fix. In particular, these checks do not ensure the group is suitable for use with Diffie-Hellman—they only enforce a DoS bound. Ultimately, callers of legacy Diffie-Hellman are responsible for selecting valid domain parameters. Callers are recommended to migrate to modern primitives, such as X25519 or ECDH with P-256. |
| |
| For more details, see our [August advisory](2023-08-01.md). |
