The maintainers of the OpenSSL project have released patches to
address a high-severity bug[1]
in the cryptographic library that could potentially lead to remote
code execution under certain scenarios.
The issue[2], now assigned the
identifier CVE-2022-2274[3], has been described as a
case of heap memory corruption with RSA private key operation that
was introduced in OpenSSL version 3.0.4 released on June 21,
2022.
First released in 1998, OpenSSL is a general-purpose cryptography library[4]
that offers open-source implementation of the Secure Sockets Layer
(SSL) and Transport Layer Security (TLS) protocols, enabling users
to generate private keys, create certificate signing requests
(CSRs[5]), install SSL/TLS
certificates.
“SSL/TLS servers or other servers using 2048 bit RSA private
keys running on machines supporting AVX512IFMA instructions of the
X86_64 architecture are affected by this issue,” the advisory
noted[6].
Calling it a “serious bug in the RSA implementation,” the
maintainers said the flaw could lead to memory corruption during
computation that could be weaponized by an attacker to trigger
remote code execution on the machine performing the
computation.
Xi Ruoyao, a Ph.D. student at Xidian University, has been
credited with reporting the flaw to OpenSSL on June 22, 2022. Users
of the library are recommended to upgrade to OpenSSL version 3.0.5[7]
to mitigate any potential threats.
References
- ^
high-severity bug
(thehackernews.com) - ^
issue
(github.com) - ^
CVE-2022-2274
(nvd.nist.gov) - ^
cryptography library
(www.digicert.com) - ^
CSRs
(en.wikipedia.org) - ^
noted
(www.openssl.org) - ^
OpenSSL
version 3.0.5 (www.openssl.org)
Read more https://thehackernews.com/2022/07/openssl-releases-patch-for-high.html