CVE-2022-2274 — Out-of-bounds Write in Openssl

CWE-787 — Out-of-bounds Write CWE-122 — Heap-based Buffer Overflow15 documents10 sources

Severity

9.8CRITICALNVD

EPSS

39.7%

top 2.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Paloalto Pan-os

Timeline

PublishedJul 1

Latest updateSep 4

Description

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys runnin…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/openssl< openssl 3.0.4-2 (bookworm)

▶Debianopenssl/openssl< 3.0.4-2+2

▶CVEListV5openssl/opensslAffects OpenSSL 3.0.4

▶NVDopenssl/openssl3.0.4

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

OSV

Heap memory corruption with RSA private key operation↗2022-07-05

▶

OSV

openssl-src heap memory corruption with RSA private key operation↗2022-07-02

▶

GHSA

openssl-src heap memory corruption with RSA private key operation↗2022-07-02

▶

OSV

CVE-2022-2274: The OpenSSL 3↗2022-07-01

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-09-04

▶

CISA ICS

Siemens SIMATIC S7-1500 TM MFP Linux Kernel↗2023-06-15

▶

Oracle

Oracle Oracle JD Edwards Risk Matrix: Enterprise Infrastructure SEC (OpenSSL) — CVE-2022-2274↗2023-04-15

▶

CISA ICS

Siemens SINEC INS↗2023-01-17

▶

Oracle

Oracle Oracle Essbase Risk Matrix: Essbase Web Platform (OpenSSL) — CVE-2022-2274↗2023-01-15

▶

🕵️Threat Intelligence

Qualys

The January 2023 Oracle Critical Patch Update↗2023-01-18

▶

Qualys

The January 2023 Oracle Critical Patch Update | Qualys↗2023-01-18

▶

📄Research Papers

arXiv

One for All and All for One: GNN-based Control-Flow Attestation for Embedded Devices↗2024-03-12

▶