CVE-2022-2274: RSA implementation bug in AVX512IFMA instructions
First published: Fri Jul 01 2022(Updated: )
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Credit: openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL OpenSSL | =3.0.4 | |
| Netapp Snapcenter | ||
| Netapp H410c Firmware | ||
| Netapp H410c | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| Netapp H410s Firmware | ||
| Netapp H410s |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4d8a88c134df634ba610ff8db1eb8478ac5fd345
- https://github.com/openssl/openssl/issues/18625
- https://security.netapp.com/advisory/ntap-20220715-0010/
- https://www.openssl.org/news/secadv/20220705.txt
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=4d8a88c134df634ba610ff8db1eb8478ac5fd345
Frequently Asked Questions
What is CVE-2022-2274?
CVE-2022-2274 is a vulnerability in the OpenSSL 3.0.4 release that affects X86_64 CPUs supporting AVX512IFMA instructions.
What is the severity of CVE-2022-2274?
CVE-2022-2274 has a severity rating of 9.8 (Critical).
How does CVE-2022-2274 impact RSA implementation with 2048 bit private keys?
CVE-2022-2274 causes the RSA implementation with 2048 bit private keys to be incorrect on machines with X86_64 CPUs supporting AVX512IFMA instructions, leading to memory corruption during computation.
Which software versions are affected by CVE-2022-2274?
Version 3.0.4 of OpenSSL, Netapp Snapcenter, Netapp H410c Firmware, Apple macOS Ventura, Apple macOS Big Sur, and Apple macOS Monterey are affected by CVE-2022-2274.
How can I mitigate the effects of CVE-2022-2274?
To mitigate the effects of CVE-2022-2274, users are advised to upgrade to a version of OpenSSL that contains the patch for this vulnerability.
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- agent/remedy
- agent/severity
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/references
- agent/tags
- agent/event
- agent/first-publish-date
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/3.0.4
- vendor/netapp
- canonical/netapp snapcenter
- canonical/netapp h410c firmware
- canonical/netapp h410c
- canonical/netapp h300s firmware
- canonical/netapp h300s
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h700s firmware
- canonical/netapp h700s
- canonical/netapp h410s firmware
- canonical/netapp h410s