OpenSSL 1.1.1u

Problem Description 

Various components, such as Python, use OpenSSL version 1.1.1u internally. As no newer versions are yet released/available for these components, the associated vulnerability CVE-2023-4807 cannot be removed. 

The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. 

If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences up to data corruption and control of the application process. 

Connected CVE's 

The following vulnerabilities are associated with the components. 

A detailed description of the CVE's can be found here.

Affected Products / Affected Versions 

Real-Time-Testing Release 2022-A, 2022-B, 2023-A, 2023-B 

Solution 

The provided script sets the environment variable OPENSSL_ia32cap and deactivates the AVX512-IFMA instructions support of the CPU. 

The environment variable OPENSSL_ia32cap is used by OpenSSL to control the functions accessing specific processor instruction set extensions. It allows for the management of certain instruction set extensions on processors that support them. Generally, this variable is used to set specific CPU features to adjust performance or supported instruction set extensions, such as SSE (Streaming SIMD Extensions) or AES-NI (Advanced Encryption Standard New Instructions). By setting this variable, you can influence the use of certain hardware capabilities for cryptographic operations within OpenSSL. 

You can run the script any time to set the environment variable. The undo script removes the variable from the system. 

Limitations 

Without the CPU's AES-NI support, performance losses can occur when encrypting large amounts of data.