OpenSSL Critical Vulnerability – CVE-2022-2274
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
A new OpenSSL hot-fix release which will patch a critical vulnerability that exists within the v3.0.X branch will be released today.
The following Linux distributions use v3.0.x and may be vulnerable, though it would be wise to check all distro’s running OpenSSL to err on the side of caution.
-
Ubuntu 22.04
-
CentOS 9
-
Fedora 9
This has been assigned CVE-2022-2274, with a critical rating of 9.8 out of 10.0
References
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4d8a88c134df634ba610ff8db1eb8478ac5fd345
https://github.com/openssl/openssl/issues/18625
https://www.openssl.org/news/secadv/20220705.txt
https://security.netapp.com/advisory/ntap-20220715-0010/