How can we help?
A recent release of OpenSSL was found to be vulnerable to a memory corruption bug when running on certain processor architectures (CVE-2022-2274). OpenSSL is an open source library to implement TLS encryption, which is used in many different web server software stacks.
The vulnerability was added in OpenSSL version 3.0.4, released on 21 June 2022. It only affects x64 systems on specialist processors with the AVX-512 (Advanced Vector Extensions) instruction set. The issue is with the RSA implementation and can cause memory corruption. By exploiting this, an attacker may be able to execute code on the machine performing the computation.
A remote attacker may be able to run code on some web servers running the latest release of OpenSSL or leak private data to the attacker.
Check which version of OpenSSL is installed using the following command:
On Linux it’s possible to see which instructions your processor supports using:
SSL/TLS servers or other servers using 2048 bit RSA private keys, running on machines supporting AVX512-IFMA instruction as part of the X86_64 architecture.
AVX-512 support is found in the following processors:
Containment, Mitigations & Remediations
Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Indicators of Compromise
An RCE in a widely used, public facing library could have an incredibly high impact. Fortunately this vulnerability only affects a very limited subset of OpenSSL users and was noticed soon after its introduction. For comparison, the Heartbleed vulnerability (CVE-2014-0160) was introduced in 2012 and was present in production systems for years before the advisory was published in 2014.
T1190 – Exploit Public-Facing Application