⚡ TL;DR | Go Straight to the OpenSSL Report
The OpenSSL Project released new versions today of their package including fixes for two vulnerabilities.
| Severity | CVE | Versions Affected | Description |
| High | CVE-2022-2274 | 3.0.4 | AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. |
| Moderate | CVE-2022-2097 | 3.0.0-3.0.4 1.1.1-1.1.1p | The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. |
The vulnerabilities are fixed in the latest version, 3.0.5 or 1.1.1q depending on which version of OpenSSL you are currently using.
CVE-2022-2274 lists that if exploited successfully, attackers can trigger a remote code execution (RCE) on the machine that is performing the computation. For the less severe vulnerability, CVE-2022-2097, the lack of encryption could lead to partial data being revealed in plain text. OpenSSL has detailed the vulnerabilities more in their vulnerability news section.
