A high-severity vulnerability in OpenSSL might allow a hostile actor to execute the malware on server-side devices.
OpenSSL is a widely used encryption library that provides an open source version of the SSL and TLS protocols. It offers tools for, among other things, creating RSA private keys and performing encryption and decryption.
An alert indicates that the OpenSSL 3.0.4 version introduced a "serious bug" in the RSA implementation for X86 64 CPUs supporting the AVX512IFMA instructions.
Because of this flaw (CVE-2022-2274), the RSA implementation with 2048-bit private keys is incorrect, resulting in memory corruption during the computation.
As a result of the memory corruption, an attacker may be able to perform RCE on the system performing the computation, OpenSSL maintainers said.
On June 22, 2022, Xi Ruoyao, who also built the patch, reported this problem to OpenSSL.
This problem affects SSL/TLS servers and other servers that use 2048-bit RSA private keys and operate on computers that implement AVX512IFMA instructions of the X86 64 architecture.
“On a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment,” the advisory reads.
Users using OpenSSL 3.0.4 should update to OpenSSL 3.0.5. This problem does not affect OpenSSL 1.1.1 or 1.0.2.