#今天又看了啥 #CVE #OpenSSL #security CVE-2022-2274 The OpenSS | MiaoTony's Box

#今天又看了啥 #CVE #OpenSSL #security
CVE-2022-2274
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

OpenSSL RSA 组件中存在一处堆溢出漏洞，攻击者可以通过精心构造 tls 认证请求或其他认证行为来触发该漏洞，并可能导致远程代码执行。
漏洞等级：严重，漏洞评分：9.8，影响范围：OpenSSL == 3.0.4

该漏洞有如下限制，（并列条件）
- 使用 RSA 算法，私钥长度2048bit
- CPU架构为 AVX512IFMA （常见为 intel 的x86桌面处理器）
但上述情况是主流*nix服务器的默认配置，需要特别注意
在满足上述条件的服务器上执行以下行为可能受到该漏洞影响
- ssh 认证
- tls 认证
- 文件签名认证

https://www.openssl.org/news/secadv/20220705.txt
https://github.com/openssl/openssl/issues/18625 (有何影响见 FAQ
密码学分析: Notes on OpenSSL remote memory corruption
360漏洞通告: CVE-2022-2274: OpenSSL RSA 远程代码执行漏洞通告