Vulnerability to Openssl 3.0.4, leading to remote damage to memory of process

In the cryptographic library Openssl revealed vulnerability (cve has not yet appointed), with which the remote attacking can damage the contents of the memory memory through sending special data at the time of installation of TLS connection. It is not yet clear whether the problem can lead to the execution of the attacker and the leakage of the data from the memory of the process, or it is limited only to the emergency completion of the work.

Vulnerability is manifested in the issue of Opensl 3.0.4, published June 21, And caused by incorrect correction in the code, which can be re -recorded or counted up to 8192 backs . Operation of vulnerability is possible only on X64 systems with support for instructions AVX512.

Such branches from Openssl as Boringssl and Libressl, as well as the Openssl 1.1.1 branch, are not subject to the problem. Correction is still available only in the form of patches . With the worst scenario, the problem may be more dangerous than the vulnerability of Heartbleed, but the level of threat reduces the fact that vulnerability is manifested only in the OpenSSL 3.0.4 release, while many default distributions continue to supply a branch 1.1.1 or have not yet managed to form Packages updates with version 3.0.4.

/Media reports.