OpenSSL High-Severity Vulnerability Could Lead to RCE

July 7, 2022

OpenSSL High-Severity Vulnerability Could Lead to RCE

OpenSSL has released a security update to address a High-Severity vulnerability affecting OpenSSL 3.0.4.

An attacker could exploit this vulnerability to perform Remote Code Execution.

The Vulnerability

  • CVE-2022-2274, (High-Severity) – a heap memory corruption with RSA private key operation.
    This issue causes the RSA implementation with 2048-bit private keys to fail on such machines, resulting in memory corruption during the computation.
    An attacker may be able to trigger a remote code execution on the machine performing the computation as a result of the memory corruption.

Affected Versions

·         OpenSSL 3.0.4 (OpenSSL 1.1.1 and 1.0.2 are not affected by this issue)

Mitigation

CYREBRO recommends using the library to update to the latest OpenSSL version  – OpenSSL 3.0.5. 

 

References: NIST Advisory, QNAP Advisory

Sign Up for Updates