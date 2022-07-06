OpenSSL fixes remote code execution bug

OpenSSL fixes remote code execution bug

Affects X86_64 processors.

Users of the popular open source OpenSSL version 3.0.4 cryptographic library are advised by its maintainers to upgrade their installations, to fix a high severity bug that can be exploited by attackers to run code remotely.

The vulnerability introduced in OpenSSL 3.0.4 stems from a faulty RSA cryptography implementation, and is tracked as CVE-2022-2274.

On systems with X86_64 architecture processors that support Intel's Advanced Vector 512 (AVX-512) single instruction, multiple data with integer fused multiply accumulator operations, computing RSA 2048 bit private keys has been incorrectly implemented incorrectly, leading to memory corruption.

"As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computing," the OpenSSL maintainers said in their advisory.

PhD student Xi Ruoyao found the bug, which does not affect OpenSSL 1.1.1 and 1.0.2.

Xi reported the vulnerability to OpenSSL and developed a fix for it.

Users are advised to upgrade to OpenSSL 3.0.5, which also contains a fix for for a moderate severity data leak issue that could reveal sixteen bytes of unencrypted data.

The flaw affects the Advanced Encryption Standard Offset Cookbook Mode (AES OCB) on 32-bit x86 computers using the AES-NI assembly optimised implementation, and affects OpenSSL 1.1.1 and 3.0.

Users of those versions are advised to upgrade to OpenSSL 1.1.1q and 3.0.5 respectively.

The release also fixes a second bug, CVE-2022-2097, reported by Google’s Alex Chernyakhovsky. In some circumstances, 16 bytes of data in memory could be revealed as plaintext.

