OpenSSL version 3.0.4 is susceptible to a vulnerability that allows for buffer overflow and remote code execution.
CISA recommends administrators running 3.0.4 on TLS/SSL servers update to 3.0.5.
What’s the nature of the vulnerability?
The issue stems from OpenSSL running on X86_64 systems that support AVX512IFMA instructions.
An implementation issue with 2048 bit RSA on these systems causes memory corruption and could lead to Remote Code Execution.
The severity of the vulnerability is rated “high” by the OpenSSL team. The vulnerability was discovered and patched by Xi Ruoyao.
What can I do to protect against exploit?
Users of OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5. Upgrades to this version may require installing upstream binaries.
According to the Git Issue page, setting the environment variable OPENSSL_ia32cap=:~0x200000 will work as a temporary workaround, but may cause additional issues. Review the Git Issue for more details.
According to the OpenSSL team, 1.1.1 and 1.0.2 are unaffected.
Resources
- CISA Advisory
https://www.cisa.gov/uscert/ncas/current-activity/2022/07/06/openssl-releases-security-updateprob
- OpenSSL Advisory
https://www.openssl.org/news/secadv/20220705.txt
- NIST Description
https://nvd.nist.gov/vuln/detail/CVE-2022-2274
- OpenSSL Bug Tracker for issue
https://github.com/openssl/openssl/issues/18625
