Bug 2102943 (CVE-2022-2274)
Summary: | CVE-2022-2274 openssl: AVX-512-specific heap buffer overflow | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | asoldano, bbaranow, bdettelb, berrange, bmaxwell, bootloader-eng-team, brian.stansberry, caswilli, cdewolf, cfergeau, chazlett, cllang, crobinso, crypto-team, csutherl, darran.lofthouse, dbelyavs, ddepaula, dffrench, dhalasz, dkreling, dkuc, dosoudil, dueno, elima, epel-packagers-sig, erik-fedora, fjansen, fjuma, fmartine, gzaronik, iweiss, jary, jburrell, jclere, jferlan, jkoehler, jochrist, jwong, jwon, kaycoth, krathod, kraxel, kshier, ktietz, lgao, marcandre.lureau, mcascell, michal.skrivanek, michel, micjohns, mjg59, mmadzin, mosmerov, mperina, msochure, mspacek, msvehla, mturk, ngough, nwallace, pbonzini, peholase, philmd, pjindal, pjones, plodge, pmackay, redhat-bugzilla, rgodfrey, rharwood, rh-spice-bugs, rjones, rstancel, rsvoboda, sahana, sbonazzo, security-response-team, smaestri, stcannon, sthirugn, szappis, tfister, tm, tom.jenkinson, virt-maint, virt-maint, vkrizan, vkumar, vmugicag, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 3.0.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-07-02 02:41:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2102941 |
Description
Sandipan Roy
2022-07-01 04:39:46 UTC
Upstream fix PR: https://github.com/openssl/openssl/pull/18626 Upstream fix commit: https://github.com/openssl/openssl/commit/4d8a88c134df634ba610ff8db1eb8478ac5fd345 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2274 |