Randall
2022-07-05 15:34:42 UTC
Hi Everyone,
Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that tomorrow. J-series takes a lot longer.
You can download tarballs or obtain OpenSSL source from
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
* https://github.com/ituglib/openssl.git (ituglib_release branch)
The release involve the following High CVE (URLs are below).
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================
Severity: High
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.
SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.
Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220705.txt
Updates to OpenSSL came out this morning. These are in the build system now and will get to the website as soon as we can. Updates will come as I have them. The 3.0.5 builds on L-series takes about 17 hours, so expect something relating to that tomorrow. J-series takes a lot longer.
You can download tarballs or obtain OpenSSL source from
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
* https://github.com/ituglib/openssl.git (ituglib_release branch)
The release involve the following High CVE (URLs are below).
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Heap memory corruption with RSA private key operation (CVE-2022-2274) =====================================================================
Severity: High
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.
SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Note that on a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment. ITUGLIB did not detect any issues here.
Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The fix was developed by Xi Ruoyao.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220705.txt