Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

OpenSSL Patches Remote Code Execution Vulnerability

OpenSSL has issued an urgent advisory to warn of a memory corruption vulnerability that exposes servers to remote code execution attacks.

The vulnerability, tracked as CVE-2022-2274, was introduced in OpenSSL 3.0.4 and could potentially allow malicious hackers to launch remote code attacks on unpatched SSL/TLS server side devices.

OpenSSL has issued an urgent advisory to warn of a memory corruption vulnerability that exposes servers to remote code execution attacks.

The vulnerability, tracked as CVE-2022-2274, was introduced in OpenSSL 3.0.4 and could potentially allow malicious hackers to launch remote code attacks on unpatched SSL/TLS server side devices.

The open source group rates this a “high-severity” issue and urged users to upgrade to OpenSSL 3.0.5.

[ READ: Evolution of OpenSSL Security After Heartbleed ]

Details from the OpenSSL advisory:

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.


This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.


Advertisement. Scroll to continue reading.

SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue, according to the advisory.

Related: Three New Vulnerabilities Patched in OpenSSL

Related: High-Severity DoS Vulnerability Patched in OpenSSL

Related: OpenSSL Ships ‘High Severity’ Security Patch

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.