CVE-2022-2274
Description
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
55.911
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL 3.0.5-dev | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL (x64) 3.0.5-dev | Windows |
| Multiple vulnerabilities are fixed in Node.js 14 (x64) (14.20.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js 14 (14.20.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js 16 (x64) (16.16.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js 16 (16.16.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js 18 (18.17.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js 18 (x64) (18.17.0) | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2097,CVE-2022-2274 are fixed in OpenSSL 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL (64-bit) 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2097,CVE-2022-2274 are fixed in OpenSSL (64-bit) 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL (MSI)(x64) 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2097,CVE-2022-2274 are fixed in OpenSSL (MSI)(x64) 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL (MSI)(x86) 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2097,CVE-2022-2274 are fixed in OpenSSL (MSI)(x86) 3.0.5 | Windows |
| Multiple vulnerabilities are affected in Oracle HTTP Server 12.2.1.4.0 | Windows |
| Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3 | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL Light 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2097,CVE-2022-2274 are fixed in OpenSSL Light 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL Light (x64) 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2097,CVE-2022-2274 are fixed in OpenSSL Light (x64) 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL Library 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2097,CVE-2022-2274 are fixed in OpenSSL Library 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2274 are fixed in OpenSSL Library x86 3.0.5 | Windows |
| Vulnerabilities CVE-2022-2097,CVE-2022-2274 are fixed in OpenSSL Library x86 3.0.5 | Windows |
| Out-of-bounds Write Vulnerability (CVE-2022-2274) | NCM |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-329083 | Node.js 14 (x64) (14.21.3) |
| PATCH-329082 | Node.js 14 (14.21.3) |
| PATCH-331257 | Node.js 16 (x64) (16.20.1) |
| PATCH-331256 | Node.js 16 (16.20.1) |
| PATCH-331762 | Node.js 18 (18.17.0) |
| PATCH-331763 | Node.js 18 (x64) (18.17.0) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234