diff --git a/.edk2.metadata b/.edk2.metadata
index f94394e..104bb66 100644
--- a/.edk2.metadata
+++ b/.edk2.metadata
@@ -1,2 +1,3 @@
+fdcb04021414cdd5a7e286058ca36aca359d323d SOURCES/RedHatSecureBootPkKek1.pem
 ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz
-50747c8a7bb55619b69e95683c7c4172d52d1974 SOURCES/openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz
+df2e14a45d968b590194d82736fcbfe2be10d1b0 SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
diff --git a/.gitignore b/.gitignore
index e3ae634..f12b9e8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+SOURCES/RedHatSecureBootPkKek1.pem
 SOURCES/edk2-bb1bba3d77.tar.xz
-SOURCES/openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz
+SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
diff --git a/SOURCES/RedHatSecureBootPkKek1.pem b/SOURCES/RedHatSecureBootPkKek1.pem
deleted file mode 100644
index d302362..0000000
--- a/SOURCES/RedHatSecureBootPkKek1.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
-BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
-9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
-MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
-RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
-+d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
-huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
-bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
-3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
-y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
-AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
-YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
-HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
-ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
-3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
-1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
-qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
-NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
-R+SqIs/vdWGA40O3SFdzET14m2k=
------END CERTIFICATE-----
diff --git a/SOURCES/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch b/SOURCES/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
new file mode 100644
index 0000000..f0ee17f
--- /dev/null
+++ b/SOURCES/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
@@ -0,0 +1,42 @@
+From ec7ff1612b2f5b0075545dc705b7c2610ec83748 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 10 Feb 2023 11:43:06 +0100
+Subject: [PATCH 2/2] rh openssl: add crypto/bn/rsa_sup_mul.c to file list
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 21: openssl update
+RH-Bugzilla: 2164531 2164543 2164558 2164581
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Commit: [2/2] 61acf48e337f04b34c4f309241775b204ae2e54f (kraxel/rhel-edk-2)
+---
+ CryptoPkg/Library/OpensslLib/OpensslLib.inf       | 1 +
+ CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+index 19913a4ac6..4eaa8a756d 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+@@ -571,6 +571,7 @@
+   $(OPENSSL_PATH)/ssl/statem/statem_local.h
+ # Autogenerated files list ends here
+ # RHEL8-specific OpenSSL file list starts here
++  $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
+   $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
+   $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c
+   $(OPENSSL_PATH)/crypto/kdf/kbkdf.c
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+index 5057857e8d..eec4771f2c 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+@@ -520,6 +520,7 @@
+   $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
+ # Autogenerated files list ends here
+ # RHEL8-specific OpenSSL file list starts here
++  $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
+   $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
+   $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c
+   $(OPENSSL_PATH)/crypto/kdf/kbkdf.c
+-- 
+2.37.3
+
diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec
index 95ba556..c430c1c 100644
--- a/SPECS/edk2.spec
+++ b/SPECS/edk2.spec
@@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    3%{?dist}
+Release:    4%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
@@ -19,7 +19,7 @@ URL:        http://www.tianocore.org
 # | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
 Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
 Source1: ovmf-whitepaper-c770f8c.txt
-Source2: openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz
+Source2: openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
 Source3: ovmf-vars-generator
 Source4: LICENSE.qosb
 Source5: RedHatSecureBootPkKek1.pem
@@ -51,6 +51,11 @@ Patch0025: 0025-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
 Patch0026: 0026-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
 # For bz#2112307 - Mark SEV launch secret area as reserved
 Patch27: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
+# For bz#2164531 - CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-8]
+# For bz#2164543 - CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-8]
+# For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8]
+# For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8]
+Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
 
 
 # python3-devel and libuuid-devel are required for building tools.
@@ -495,6 +500,18 @@ true
 %endif
 
 %changelog
+* Wed Feb 15 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-4
+- edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
+- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
+- Resolves: bz#2164531
+  (CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-8])
+- Resolves: bz#2164543
+  (CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-8])
+- Resolves: bz#2164558
+  (CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8])
+- Resolves: bz#2164581
+  (CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8])
+
 * Tue Aug 02 2022 Camilla Conte <cconte@redhat.com> - 20220126gitbb1bba3d77-3
 - Bumping OpenSSL version [bz# 2074834]
 - Resolves: bz# 2074834