CVE-2022-2274
Description
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-2274
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-2274.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 3.0.4-2 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 3.0.4-2 |
| debian | sid | fixed | 3.0.4-2 |
| debian | trixie | fixed | 3.0.4-2 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| crates.io | openssl-src | | |
| crates.io | openssl-src | >=300.0.8,<300.0.9 | 300.0.9 |
References
- https://www.openssl.org/news/secadv/20220705.txt
- https://www.suse.com/security/cve/CVE-2022-2274.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-2274
- https://github.com/openssl/openssl/issues/18625
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4d8a88c134df634ba610ff8db1eb8478ac5fd345
- https://rustsec.org/advisories/RUSTSEC-2022-0033.html
- https://security.netapp.com/advisory/ntap-20220715-0010
- https://crates.io/crates/openssl-src
- https://security-tracker.debian.org/tracker/CVE-2022-2274
Verify integrity in audit chain (admin only). AS-IS.