Security Patch for Remote Memory Corruption Vulnerability to be Released by OpenSSL ,On particular platforms, it has been found that the most recent version of the OpenSSL library is vulnerable to a remote memory-corruption flaw.
The problem has been found in OpenSSL 3.0.4, which was made available on June 21, 2022. It affects x64 systems using the AVX-512 instruction set. The OpenSSL forks BoringSSL and LibreSSL are unaffected, nor is OpenSSL 1.1.1.
The problem was discovered by security researcher Guido Vranken at the end of May, and he stated that it “may be triggered trivially by an attacker.” Although the flaw has been resolved, there are currently no patches available.
The Transport Layer Security (TLS) protocol is offered as an open source implementation by the well-known encryption package known as OpenSSL. For Intel and AMD microprocessors, Advanced Vector Extensions (AVX) are additions to the x86 instruction set architecture.
In a GitHub issue thread, Tomá Mráz from the OpenSSL Foundation stated, “I do not think this is a security problem.” It’s merely a significant problem that prevents AVX-512 capable PCs from running the 3.0.4 release.
However, Alex Gaynor made a point that “It’s hard for me to see how it’s not a security flaw. It’s a heap buffer overflow that can easily occur in remote circumstances (like a TLS handshake) and is caused by things like RSA signatures.”
According to Xi Ruoyao, a graduate student at Xidian University, “I think we shouldn’t mark a bug as’security vulnerability’ unless we have some evidence showing it can (or at least, may) be exploited,” but given the gravity of the problem, it’s imperative to release version 3.0.5 as soon as possible.
Have you enjoyed reading this article? To read more exclusive material from LEZR, follow us on Facebook. Security Patch for Remote Memory Corruption Vulnerability to be Released by OpenSSL