The OpenSSL maintainer released the latest version 3.0.5 this week to address a remote code execution (RCE) vulnerability caused by a recent update.
OpenSSL 3.0.4 was released on June 21 to address a command injection vulnerability CVE-2022-2068, but unexpectedly led to a new vulnerability. Researchers Guido Vranken and Xi Ruoyao discovered in mid-June that the OpenSSL encryption algorithm can be easily triggered by attackers to cause memory corruption, which is a heap buffer overflow vulnerability. OpenSSL finally issued a security bulletin this week , tracked under the name CVE-2022-2274.
According to OpenSSL, version 3.0.4 caused a bug in the implementation of RSA 2048-bit private keys, affecting X86_64 CPUs that support AVX512IFMA instructions, and causing memory corruption on machines with these CPUs. The result of the memory corruption could allow an attacker to remotely execute code on these machines.
CVE-2022-2274 has not been assigned a risk rating by the US NIST Vulnerability Database, but Red Hat rated it as 8.1 .
All SSL/TLS (or other) servers using X86_64 CPUs that support AVX512IFMA instructions and that implement 2048-bit RSA private keys are affected by the CVE-2022-2274 vulnerability. Earlier OpenSSL 1.1.1 and 1.0.2 are not affected by the vulnerability.
Last week, researcher Xi Ruoyao provided a patch for the vulnerability, but the OpenSSL update has not yet been released, and some users were forced to remove the risky version 3.0.4 first, exposing themselves to the risk of older vulnerabilities. The OpenSSL maintainer calls on OpenSSL 3.0.4 users to update to version 3.0.5 as soon as possible.