OpenSSL has patched one High risk heap memory corruption with RSA private key operation (CVE-2022-2274) in certain OpenSSL versions.
“The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation,” OpenSSL stated in a recent advisory.
As a result, an attacker could exploit the issue and trigger a remote code execution condition on the affected system.
OpenSSL added that users should upgrade systems running affected OpenSSL 3.0.4 version to the latest OpenSSL 3.0.5 version.
More information on the vulnerability has also been published on GitLab (issue #18625) ‘AVX512-specific heap buffer overflow with 3.0.4 release.’
Moreover, OpenSSL patched a Medium severity vulnerability where AES OCB fails to encrypt some bytes (CVE-2022-2097).