On 5th July, OpenSSL published an advisory that talks about a high severity vulnerability in its software library. The flaw that is tracked as CVE-2022-2274 would cause the RSA implementation with 2048-bit private keys to be incorrect and corrupt the system memory. As a result, an attacker may be able to trigger remote code execution on the machine performing the computation. Since the flaw allows attackers to perform remote code execution, it is important to learn how to Fix CVE-2022-2274- A Heap Memory Corruption Vulnerability in OpenSSL.
Before we jump in to know how to fix CVE-2022-2274, a Heap Memory Corruption Vulnerability in OpenSSL, let’s see about the RSA encryption and the role and usage of RSA encryption in OpenSSL.
RSA encryption is a public-key cryptography algorithm that is used to encrypt and decrypt data. It is one of the most popular and secure methods of encryption and is widely used in both commercial and government applications. RSA encryption is based on the factoring of large integers, and it is considered to be very secure. However, it is computationally intensive and can be slower than other methods of encryption.
OpenSSL is a widely-used open-source implementation of the SSL and TLS protocols. It includes a library of cryptographic algorithms, which can be used to encrypt data. RSA is one of the algorithms that is supported by OpenSSL.
The Role Of RSA Encryption In OpenSSL
To use RSA encryption with OpenSSL, you need to generate a public/private key pair. This can be done using the OpenSSL command-line tool. First, generate a private key:
$openssl genrsa -out private_key.pem 2048
This will generate a private key file called “private_key.pem” that is 2048 bits long. Next, generate a public key from the private key:
$openssl rsa -pubout -in private_key.pem -out public_key.pem
This will generate a public key file called “public_key.pem” that is derived from the private key.
To encrypt data using RSA, you need to have the recipient’s public key. You can then use the OpenSSL command-line tool to encrypt the data:
$openssl rsautl -encrypt -in data.txt -pubin -inkey public_key.pem -out encrypted_data.txt
This will encrypt the file “data.txt” using the public key and output the encrypted data to “encrypted_data.txt”. To decrypt the data, you need to have the private key and use the OpenSSL command-line tool:
$openssl rsautl -decrypt -in encrypted_data.txt -inkey private_key.pem -out decrypted_data.txt
This will decrypt the file “encrypted_data.txt” using the private key and output the decrypted data to “decrypted_data.txt”.
RSA encryption is a very popular and secure method of encryption, and OpenSSL provides an easy way to use it.
Summary Of CVE-2022-2274
The flaw is a heap memory corruption vulnerability in OpenSSL. The vulnerability is in the RSA implementation for X86_64 CPUs that support the AVX512IFMA instructions. The flaw that is tracked as CVE-2022-2274 would cause the RSA implementation with 2048-bit private keys to be incorrect and corrupt the system memory. As a result, an attacker may be able to trigger remote code execution on the machine performing the computation. The CVSS score and the severity rating have not been calculated at the time of writing this post.
OpenSSL Versions Vulnerable To CVE-2022-2274- The Heap Memory Corruption Vulnerability In OpenSSL
This vulnerability affects all the servers that use 2048-bit RSA private keys with AVX512IFMA instructions of the X86_64 architecture. The official advisory says OpenSSL version 3.0.4 is affected by the CVE-2022-2274 vulnerability. OpenSSL v1.1.0 and v1.0.2 are safe from this heap memory corruption vulnerability. Users of v1.x can ignore this flaw. Check the version of the OpenSSL version running on your machine and take the required action.
Run this command to check the version of the OpenSSL running on your machine.
$ openssl version
How To Fix CVE-2022-2274- A Heap Memory Corruption Vulnerability in OpenSSL?
OpenSSL addresses the vulnerabilities in its new releases. OpenSSL has rolled out a new version with the patch. We suggest finding out the current version of OpenSSL on your machines and upgrading to v3.0.5. Users of v1.x can ignore this flaw since OpenSSL v1.1.0 and v1.0.2 are safe from this heap memory corruption vulnerability.
Time needed: 30 minutes.
How To Fix CVE-2022-2274?
- Check the OpenSSL versionRun this command to check the version of OpenSSL:
$ openssl version
- Download the latest OpenSSL packageDownload the correct package you need. In this case, since we have OpenSSL v3.0.4, we need to download v3.0.5.
$ cd Downloads/
$ wget https://www.openssl.org/source/openssl-3.0.5.tar.gz
$ chmod +x openssl-3.0.5.tar.gz
- Extract the OpenSSL packageExtract the downloaded package to a folder.
$ tar -zxf openssl-3.0.5.tar.gz
$ cd openssl-3.0.5/
- Manually compile OpenSSL 3.0.5
Run this command to compile and create configdata.pm and makefile.
$ sudo ./config
- Install/upgrade OpenSSLIssue these commands to install or upgrade the OpenSSL.
$ sudo make
$ sudo make test
$ sudo mv /usr/bin/openssl ~/tmp (Backup current openssl binary)
$ sudo make install
$ ldconfig /usr/local/lib64/
Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSL. Run this command to install the required packages if not preinstalled.
$ sudo apt install make gcc
- Create symbolic link from newly install binary to the default location$ sudo ln -s /usr/local/bin/openssl /usr/bin/openssl
- Update the symbolic links in UbuntuRun these commands to update symbolic links and rebuild the library cache:
$ sudo ldconfig
- Check the OpenSSL version once again after the patchCheck the version of OpenSSL:
$ openssl version
How To Fix The OpenSSL Error Loading Shared Libraries?
Some people would get an error in loading shared libraries. If you are one among those with such bad luck, if you see this error “openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory“, then this section is for you.
- Edit ld.conf file to add a line containing /usr/local/lib64
$ sudo nano /etc/ld.so.conf.d/lib.conf /usr/local/lib64
2. Sometimes, openssl is installed at /usr/local/ssl. Create a file and add a line containing /usr/local/ssl/lib64
$ sudo nano /etc/ld.so.conf.d/openssl.conf /usr/local/ssl/lib64
Update the library paths upon adding the path to the file.
$ sudo ldconfig
Check the OpenSSL version.
$ openssl version OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)