New vulnerability CVE-2023-5678 in OpenSSL version 1.1.1q

shiva.hw · February 6, 2024, 8:40am

New vulnerability CVE-2023-5678 in OpenSSL version 1.1.1q,

We are using following packages in our android application.

‘net.zetetic:android-database-sqlcipher:4.5.4@aar’
‘net.zetetic:android-database-sqlcipher:4.5.3@aar’
‘net.zetetic:android-database-sqlcipher:4.5.2@aar’

Does CVE-2023-5678 affect our application?

sjlombardo · February 6, 2024, 1:46pm

@shiva.hw SQLCipher does not use DH, so it is not affected by CVE-2023-5678.

Even so, our recommendation would be to upgrade to SQLCipher 4.5.6 which is based on SQLite 3.44.2.

We are no longer releasing pre-built community edition packages of the legacy android-database-sqlcipher package, so if you are using community edition we recommend migrating to sqlcipher-android (integration instructions, github , migration guide).

If you are using a commercially licensed android-database-sqlcipher package you may contact us separately at support@zetetic.net to discuss further.

shiva.hw · March 21, 2024, 9:58am

is this applicable for Android app

sjlombardo · March 25, 2024, 2:38pm

Yes, this is applicable to Android

Topic		Replies	Views
New vulnerability CVE-2023-5678 in openssl SQLCipher	1	225	November 9, 2023
Use of 'net.zetetic:android-database-sqlcipher:4.5.1@aar' give OpenSSL 1.1.1m vulnerability SQLCipher	3	416	June 1, 2022
Our internal tool reported CVE-2023-0464 vulnerability in openssl SQLCipher	1	390	March 31, 2023
New vulnerabilities detected in openssl SQLCipher	1	413	August 3, 2023
New vulnerabilities detected in library OpenSSL version 1.1.1q SQLCipher	3	294	November 12, 2023

New vulnerability CVE-2023-5678 in OpenSSL version 1.1.1q

Related topics