back to article OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw

The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512). OpenSSL 3.0.4 was released on June 21 to address a command- …

  1. Ben Tasker Silver badge

    > I think we shouldn't mark a bug as 'security vulnerability' unless we have some evidence showing it can (or at least, may) be exploited," he wrote, adding that nonetheless 3.0.5 should be released as soon as possible because it's very severe.

    > v

    > "I'm not sure I understand how it's not a security vulnerability," responded Gaynor. "It's a heap buffer overflow that's triggerable by things like RSA signatures, which can easily happen in remote contexts (e.g. a TLS handshake)."

    Personally, I think they're both right.

    We need to be careful about labelling things as vulnerabilities if there isn't any evidence that they might be exploitable. Otherwise, much like the vim example, you get a wash of "security vulnerabilities" which'll lead to operators, users and admins becoming complacent about installing patches (oh they label everything a vulnerability nowadays....), negatively impacting the chances of getting fixes for exploitable issues installed quickly.

    But, that doesn't mean that *this* instance shouldn't be called a vulnerability - it's got all the makings of one, it's remotely triggerable using something the other end has control over, all that's really missing is that no-one's (yet) figured out how to misuse it. Whilst they might never do (a buffer overflow is never good, but it's also not always exploitable), the fact that it can be triggered remotely creates a window of opportunity for anyone that can figure it out. So the second quote is right too.

    I'm not sure I agree with the assessment that this is worse than Heartbleed, the "badness" of a vulnerability is about more than what you can do with it (after all, we don't describe privilege escalation bugs as "worse than heartbleed"): the real-world applicability has to be considered too.

    This vulnerability applies to a (very) limited subset of installs, which need to be using specific hardware. Heartbleed affected (more or less) anyone running almost any version of OpenSSL that was available - you could do less with it (at least directly), but you could use it against the majority of services on the web. In my book, that's much worse. This still needs fixing though.

    1. Pascal Monett Silver badge
      Coat

      Well, the experts are slugging it out, so something will come of it.

      Thank goodness the marketing department is not weighing in . . .

      1. stiine Silver badge

        They'd just rebrand OpenSSL and then take a holiday to Greece.

  2. Alan J. Wylie

    3.0.x is still "Masked" on Gentoo

    Meanwhile, Linux distributions like Gentoo have not yet rolled out OpenSSL 3.0.4 as a result of this bug and a test build failure bug. So they include OpenSSL 3.0.3, with its command injection flaw.

    The default build on Gentoo still uses 1.1.1o, to enable 3.0.x you would need to explicitly edit a configuration file to "unmask" the version.

    There are still many packages, e.g. versions of Ruby and PHP which won't build against 3.0.x

  3. Anonymous Coward
    Anonymous Coward

    AVX512 -- Available on exactly which Intel processors?......

    Intel Quote: "...available on Intel® Xeon® Scalable processors...."

    So......why not say so in the article?......so some of us using retail Intel processors can just ignore the scaremongering!!!!

    1. badflorist

      Re: AVX512 -- Available on exactly which Intel processors?......

      I have a i7 X something or other that has it (~5 years old). I believe all of Alder Lake was supposed to have it. Some of the low powered i3/i5 models have it.

      To me, the highlight of this article is that Intel disabled AVX512, not that OpenSSL has a bug. I didn't know they're disabling it and now I'm wondering about my older i7X CPU suffering a retroactive degrade. The last noteworthy feature Intel added to desktop CPUs might be the vtx-x features... ~12 years ago.

    2. iron Silver badge

      Re: AVX512 -- Available on exactly which Intel processors?......

      There's a website you can use to find out the answer to questions just like that, it is called Google.

      While you digest that mid-shattering nugget of information:

      Proposed by Intel in July 2013, and implemented in Intel's Xeon Phi x200 (Knights Landing) and Skylake-X CPUs; this includes the Core-X series (excluding the Core i5-7640X and Core i7-7740X), as well as the new Xeon Scalable Processor Family and Xeon D-2100 Embedded Series.

      https://en.wikipedia.org/wiki/AVX-512#CPUs_with_AVX-512

      1. Anonymous Coward
        Anonymous Coward

        Re: AVX512 -- Available on exactly which Intel processors?......

        On an article specifically dealing with AVX512 it's not really a big ask for the author to have included a short snippet like that., "just use Google" isn't really the right answer here

    3. David 132 Silver badge
      Boffin

      Re: AVX512 -- Available on exactly which Intel processors?......

      FYI for those wondering it's simple to find answers like that on Ark.intel.com. That link is directly to a search for "processors with AVX-512".

  4. FireBurn

    OpenSSL 3 is still masked on Gentoo - basically you'd have unmask it to enable it, OpenSSL 1.1.1 is still the default

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022