Các bài viết liên quan:
The latest version of the OpenSSL library has been found to be vulnerable to a remote memory corruption vulnerability on select systems.
The issue was identified in OpenSSL version 3.0.4, which was released on June 21, 2022, and affects x64 systems with the AVX-512 instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected.
Security researcher Guido Vranken, who reported the bug in late May, said it “could be triggered by an attacker.” Although the shortcoming has been fixed, no patches have been provided yet.
OpenSSL is a popular cryptographic library that provides an implementation open source of the Transport Layer Security (TLS) protocol. Advanced Vector Extensions (AVX) is an extension to the x86 instruction set architecture for Intel and AMD microprocessors.
“I don’t think this is a security hole,” Tomáš Mráz of the OpenSSL Foundation said in a GitHub issue thread. “It’s just a fatal bug that makes the 3.0.4 release unusable on AVX-512-enabled machines.”
On the other hand, Alex Gaynor points out, “I’m not sure I understand how it’s not a security hole. It’s a heap buffer overflow that can be triggered by things like RSA signatures, which can easily happen in remote contexts (e.g. TLS handshake). “
Xi Ruoyao, a graduate student at Xidian University, said that although “I think we shouldn’t mark a bug as a ‘security hole’ unless we have some evidence that it can (or at least, possibly) exploitable”, it is necessary to release version 3.0.5 as soon as possible due to the severity of the problem.
.
