• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-2274- A Heap Memory Corruption Vulnerability In OpenSSL
How to Fix CVE-2022-2274- A Heap Memory Corruption Vulnerability in OpenSSL

On 5th July, OpenSSL published an advisory that talks about a high severity vulnerability in its software library. The flaw that is tracked as CVE-2022-2274 would cause the RSA implementation with 2048-bit private keys to be incorrect and corrupt the system memory. As a result, an attacker may be able to trigger remote code execution on the machine performing the computation. Since the flaw allows attackers to perform remote code execution, it is important to learn how to Fix CVE-2022-2274- A Heap Memory Corruption Vulnerability in OpenSSL.

Before we jump in to know how to fix CVE-2022-2274, a Heap Memory Corruption Vulnerability in OpenSSL, let’s see about the RSA encryption and the role and usage of RSA encryption in OpenSSL.

RSA Encryption

RSA encryption is a public-key cryptography algorithm that is used to encrypt and decrypt data. It is one of the most popular and secure methods of encryption and is widely used in both commercial and government applications. RSA encryption is based on the factoring of large integers, and it is considered to be very secure. However, it is computationally intensive and can be slower than other methods of encryption.

OpenSSL

OpenSSL is a widely-used open-source implementation of the SSL and TLS protocols. It includes a library of cryptographic algorithms, which can be used to encrypt data. RSA is one of the algorithms that is supported by OpenSSL.

The Role Of RSA Encryption In OpenSSL

To use RSA encryption with OpenSSL, you need to generate a public/private key pair. This can be done using the OpenSSL command-line tool. First, generate a private key:

$openssl genrsa -out private_key.pem 2048

This will generate a private key file called “private_key.pem” that is 2048 bits long. Next, generate a public key from the private key:

$openssl rsa -pubout -in private_key.pem -out public_key.pem

This will generate a public key file called “public_key.pem” that is derived from the private key.

To encrypt data using RSA, you need to have the recipient’s public key. You can then use the OpenSSL command-line tool to encrypt the data:

$openssl rsautl -encrypt -in data.txt -pubin -inkey public_key.pem -out encrypted_data.txt

This will encrypt the file “data.txt” using the public key and output the encrypted data to “encrypted_data.txt”. To decrypt the data, you need to have the private key and use the OpenSSL command-line tool:

$openssl rsautl -decrypt -in encrypted_data.txt -inkey private_key.pem -out decrypted_data.txt

This will decrypt the file “encrypted_data.txt” using the private key and output the decrypted data to “decrypted_data.txt”.

RSA encryption is a very popular and secure method of encryption, and OpenSSL provides an easy way to use it.

Summary Of CVE-2022-2274

The flaw is a heap memory corruption vulnerability in OpenSSL. The vulnerability is in the RSA implementation for X86_64 CPUs that support the AVX512IFMA instructions. The flaw that is tracked as CVE-2022-2274 would cause the RSA implementation with 2048-bit private keys to be incorrect and corrupt the system memory. As a result, an attacker may be able to trigger remote code execution on the machine performing the computation. The CVSS score and the severity rating have not been calculated at the time of writing this post.

OpenSSL Versions Vulnerable To CVE-2022-2274- The Heap Memory Corruption Vulnerability In OpenSSL

This vulnerability affects all the servers that use 2048-bit RSA private keys with AVX512IFMA instructions of the X86_64 architecture. The official advisory says OpenSSL version 3.0.4 is affected by the CVE-2022-2274 vulnerability. OpenSSL v1.1.0 and v1.0.2 are safe from this heap memory corruption vulnerability. Users of v1.x can ignore this flaw. Check the version of the OpenSSL version running on your machine and take the required action.

Run this command to check the version of the OpenSSL running on your machine.

$ openssl version

How To Fix CVE-2022-2274- A Heap Memory Corruption Vulnerability in OpenSSL?

OpenSSL addresses the vulnerabilities in its new releases. OpenSSL has rolled out a new version with the patch. We suggest finding out the current version of OpenSSL on your machines and upgrading to v3.0.5. Users of v1.x can ignore this flaw since OpenSSL v1.1.0 and v1.0.2 are safe from this heap memory corruption vulnerability.

Time needed: 30 minutes.

How To Fix CVE-2022-2274?

  1. Check the OpenSSL version

    Run this command to check the version of OpenSSL:

    $ openssl version

    Check the OpenSSL version

  2. Download the latest OpenSSL package

    Download the correct package you need. In this case, since we have OpenSSL v3.0.4, we need to download v3.0.5.

    $ cd Downloads/
    $ wget https://www.openssl.org/source/openssl-3.0.5.tar.gz

    $ chmod +x openssl-3.0.5.tar.gz

    Download the latest OpenSSL package

  3. Extract the OpenSSL package

    Extract the downloaded package to a folder.

    $ tar -zxf openssl-3.0.5.tar.gz
    $ cd openssl-3.0.5/

    Extract the OpenSSL package

  4. Manually compile OpenSSL 3.0.5

    Run this command to compile and create configdata.pm and makefile.

    $ sudo ./config

    Manually compile OpenSSL 3.0.5

  5. Install/upgrade OpenSSL

    Issue these commands to install or upgrade the OpenSSL.

    $ sudo make
    $ sudo make test
    $ sudo mv /usr/bin/openssl ~/tmp (Backup current openssl binary)
    $ sudo make install
    $ ldconfig /usr/local/lib64/

    Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSL. Run this command to install the required packages if not preinstalled.

    $ sudo apt install make gcc


    Install or upgrade OpenSSL

  6. Create symbolic link from newly install binary to the default location

    $ sudo ln -s /usr/local/bin/openssl /usr/bin/openssl

    Create symbolic link from newly install binary to the default location

  7. Update the symbolic links in Ubuntu

    Run these commands to update symbolic links and rebuild the library cache:

    $ sudo ldconfig

    Update the symbolic links in Ubuntu

  8. Check the OpenSSL version once again after the patch

    Check the version of OpenSSL:

    $ openssl version

    Check the OpenSSL version once again after the patch

How To Fix The OpenSSL Error Loading Shared Libraries?

Some people would get an error in loading shared libraries. If you are one among those with such bad luck, if you see this error “openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory“, then this section is for you.

  1. Edit ld.conf file to add a line containing /usr/local/lib64
$ sudo nano /etc/ld.so.conf.d/lib.conf
/usr/local/lib64

OR

2. Sometimes, openssl is installed at /usr/local/ssl. Create a file and add a line containing /usr/local/ssl/lib64

$ sudo nano /etc/ld.so.conf.d/openssl.conf
/usr/local/ssl/lib64

Update the library paths upon adding the path to the file.

$ sudo ldconfig

Check the OpenSSL version.

$ openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)

We hope this post will help you know how to Fix CVE-2022-2274- A Heap Memory Corruption Vulnerability in OpenSSL. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.