OpenSSL Fixes Multiple Vulnerabilities

⚡ TL;DR | Go Straight to the OpenSSL Report

The OpenSSL Project released new versions today of their package including fixes for two vulnerabilities.

SeverityCVEVersions AffectedDescription
HighCVE-2022-22743.0.4AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances.
ModerateCVE-2022-20973.0.0-3.0.4
1.1.1-1.1.1p
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.

The vulnerabilities are fixed in the latest version, 3.0.5 or 1.1.1q depending on which version of OpenSSL you are currently using.

CVE-2022-2274 lists that if exploited successfully, attackers can trigger a remote code execution (RCE) on the machine that is performing the computation. For the less severe vulnerability, CVE-2022-2097, the lack of encryption could lead to partial data being revealed in plain text. OpenSSL has detailed the vulnerabilities more in their vulnerability news section.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

You may also like...

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.​