We discuss the CVE-2022-2274 OpenSSL Vulnerability.
The OpenSSL 3.0.4 release introduced a serious bug in the RSA
implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys
incorrect on such machines and memory corruption will happen during
the computation. As a consequence of the memory corruption an attacker
may be able to trigger a remote code execution on the machine performing
the computation.
0:00 Intro
1:00 CVE-2022-2274
3:00 AVX512IFMA CISC
5:00 How the bug works
7:10 How can it be triggered
Resources
https://www.openssl.org/news/secadv/20220705.txt
https://github.com/openssl/openssl/issues/18625
https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/
https://eprint.iacr.org/2018/335
https://github.com/openssl/openssl/commit/4d8a88c134df634ba610ff8db1eb8478ac5fd345
https://linux.die.net/man/3/bn_internal
https://www.microfocus.com/documentation/enterprise-developer/ed60/ES-WIN/GUID-E3960B1E-C42E-4748-A5EB-6E12507C9CD7.html
https://www.microcontrollertips.com/risc-vs-cisc-architectures-one-better/
Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
https://network.husseinnasser.com
--- Support this podcast: https://anchor.fm/hnasr/supportHigh severity flaw can crash your WebServer when using OpenSSL - Let us discuss
When is NodeJS Single Threaded and when is it multi-Threaded?
Slack's Migrating Millions of Websockets from HAProxy to Envoy, let's discuss
Why WebSockets over HTTP/2 (RFC8441) is Critical for Effective Load Balancing and Backend Scaling
How HTTP Compression Leaks Sessions and JWT - CRIME Explained and how HPACK in HTTP/2 fixes this
The Second Microsoft Global Outage in less than 6 months
Is there a Limit to Number of Connections a Backend can handle?
Fire Destroys Datacenter in France, Let us discuss the OVHcloud Fire
Firefox State Partitioning for Cookies Might End Evil Tracking forever
Did you get logged out of GitHub? - Backend Race condition Bug discussion
Chrome 90 will start communicating in HTTPS (port 443) by Default - Let us discuss
S3 compliant MinIO Suffers an Server Side Request Forgery vulnerability, lets discuss
Which DBMS will Implement QUIC First? Can the QUIC Protocol improve Database Performance in Web Applications?
3 New Ways to Crash your NodeJS Server, Update Node JS today! (Feb 2021 Security Update)
cURL creator Daniel Stenberg threatened - The entitlement towards OSS needs to STOP!
SRE changes a single HAProxy config, Breaks the Backend and he troubleshoots it like a champ
A Bug in Stripe Caused by AWS Lambda Serverless Design (Container re-use)
XMPP - Extensible Messaging and Presence Protocol (with Node JS and eJabberd)
How timeouts can make or break your Backend load balancers
He Hacked Into Apple and Microsoft with this genius trick
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
A Prairie Home Companion: News from Lake Wobegon