The OpenSSL has released patches to address OpenSSL high severity vulnerability CVE-2022-2274 and CVE-2022-2097, along with moderate severity ones, in the cryptographic library that could potentially lead to remote code execution in specific scenarios. This done using a vulnerability management tool. OpenSSL is a widely used cryptographic library that offers a free implementation of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It includes tools to generate RSA private keys and perform encryption, decryption, etc.
Also, with a patch management solution, we can patch any known vulnerabilities.
Vulnerability Details
CVE-2022-2274 – Heap memory corruption with RSA private key operation
Severity: High
OpenSSL 3.0.4 released a severe bug in the RSA implementation for x86_64 processors that support AVX512IFMA instructions. Also, The issue makes RSA implementation with-bit private keys lead to memory computation. Due to memory corruption, an attacker can trigger remote code execution on the machine performing the calculation.
However, SSL/TLS servers or other servers using RSA 2048-bit private keys operating on machines that support X86_64 AVX512IFMA instructions affected by this issue.
CVE-2022-2097 – AES OCB fails to encrypt some bytes
Severity: Moderate
This programming fault occurs on 32-bit processors and does not encrypt all data in AES OCB mode, which can lead to a leak. AES OSB mode for 32-bit x86 platforms using optimized AES-NI assembly will not encrypt complete data under certain circumstances. Moreover, This might reveal sixteen bytes of pre-existing data in the memory which was not written. However, In the case of “in place” encryption, sixteen bytes of clear text would revealed.
Also, Since OpenSSL does not support OCB cipher suites for TLS and DTLS, not affected by the OpenSSL High Severity Vulnerability (CVE-2022-2274 and CVE-2022-2097).
Affected Versions
- OpenSSL 3.0.x – 3.0.4
- OpenSSL 1.1.1 – 1.1.p
Fixed Versions
- OpenSSL 3.0.5
- OpenSSL 1.1.1q
Solution
OpenSSL has released the security updates addressing the OpenSSL high severity vulnerability (CVE-2022-2274 and CVE-2022-2097) in OpenSSL versions 3.0.5 and 1.1.1q.
SanerNow VM and SanerNow PM detects these vulnerabilities and remediates. Use SanerNow and keep your systems updated and secure.