This advisory is archived
Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.
- Advisory ID: CV_2022_10_2
- Title: Remote Memory Corruption Vulnerability in OpenSSL
- Severity: CRITICAL
- Issued: 2022-10-31
- Updated: 2022-10-31
- CVSS Score Range: 9.0 - 10.0
- Additional Links:
Impacted Products
This vulnerability does not affect Commvault products.
Resolution
CVE-2022-2274 affects OpenSSL 3.0 and above versions. Commvault uses OpenSSL version 1.1.1, which is not affected by this vulnerability. This includes all Commvault Software, HyperScale X, ThreatWise, and Commvault File System packages that are not affected by this vulnerability.
CVE Details
| Info | Description |
|---|---|
| The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue. |