logo

Security Advisories

Documentation Cloud Services Solutions

CV_2022_10_2: Remote Memory Corruption Vulnerability in OpenSSL NO IMPACT

  This advisory is archived

Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.

  • Advisory ID: CV_2022_10_2
  • Issued: 2022-10-31
  • Updated: 2022-10-31
  • Additional Links:

Impacted Products

This vulnerability does not affect Commvault products.

Resolution

CVE-2022-2274 affects OpenSSL 3.0 and above versions. Commvault uses OpenSSL version 1.1.1, which is not affected by this vulnerability. This includes all Commvault Software, HyperScale X, ThreatWise, and Commvault File System packages that are not affected by this vulnerability.

CVE Details

Info Description

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

Documentation

https://documentation.commvault.com