Jump to content
  • OpenSSL to Release Security Patch for Remote Memory Corruption Vulnerability

    aum

    • 371 views
    • 2 minutes
     Share


    • 371 views
    • 2 minutes

    The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems.


    The issue has been identified in OpenSSL version 3.0.4, which was released on June 21, 2022, and impacts x64 systems with the AVX-512 instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected.


    Security researcher Guido Vranken, who reported the bug at the end of May, said it "can be triggered trivially by an attacker." Although the shortcoming has been fixed, no patches have been made available as yet.


    OpenSSL is a popular cryptography library that offers an open source implementation of the Transport Layer Security (TLS) protocol. Advanced Vector Extensions (AVX) are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD.


    "I do not think this is a security vulnerability," Tomáš Mráz of the OpenSSL Foundation said in a GitHub issue thread. "It is just a serious bug making the 3.0.4 release unusable on AVX-512 capable machines."


    On the other hand, Alex Gaynor pointed out, "I'm not sure I understand how it's not a security vulnerability. It's a heap buffer overflow that's triggerable by things like RSA signatures, which can easily happen in remote contexts (e.g. a TLS handshake)."


    Xi Ruoyao, a postgraduate student at Xidian University, chimed in, stating that although "I think we shouldn't mark a bug as 'security vulnerability' unless we have some evidence showing it can (or at least, may) be exploited," it's necessary to release version 3.0.5 as soon as possible given the severity of the issue.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...