Security News > 2022 > July > OpenSSL Releases Patch for High-Severity Bug that Could Lead to RCE Attacks
The maintainers of the OpenSSL project have released patches to address a high-severity bug in the cryptographic library that could potentially lead to remote code execution under certain scenarios.
The issue, now assigned the identifier CVE-2022-2274, has been described as a case of heap memory corruption with RSA private key operation that was introduced in OpenSSL version 3.0.4 released on June 21, 2022.
First released in 1998, OpenSSL is a general-purpose cryptography library that offers open-source implementation of the Secure Sockets Layer and Transport Layer Security protocols, enabling users to generate private keys, create certificate signing requests, install SSL/TLS certificates.
Calling it a "Serious bug in the RSA implementation," the maintainers said the flaw could lead to memory corruption during computation that could be weaponized by an attacker to trigger remote code execution on the machine performing the computation.
Xi Ruoyao, a Ph.D. student at Xidian University, has been credited with reporting the flaw to OpenSSL on June 22, 2022.
Users of the library are recommended to upgrade to OpenSSL version 3.0.5 to mitigate any potential threats.
News URL
https://thehackernews.com/2022/07/openssl-releases-patch-for-high.html
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration (source)
- CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-07-01 | CVE-2022-2274 | Out-of-bounds Write vulnerability in multiple products The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. | 9.8 |