Skip to content
Untitled design-Aug-24-2022-05-11-24-06-PM
Christoph HartmannNovember 1, 20227 min read

High OpenSSL Vulnerabilities (CVE-2022-3602 & CVE-2022-3786): Find, Fix, and Enforce Through Open Source

openssl


Find the OpenSSL high vulnerabilities (CVE-2022-3602 and CVE-2022-3786) in your environment with Mondoo's new open source tools: cnquery and cnspec. With cnquery's cloud-native asset inventory capabilities, you can detect all instances of the vulnerabilities across your entire infrastructure. Apply the patch to all affected assets and then use cnspec to ensure that no installations with this vulnerability ever go to production again.


The OpenSSL Project issued rare high vulnerabilities, CVE-2022-3602 and CVE-2022-3786. These vulnerabilities are in OpenSSL versions 3.0.0 through 3.0.6. 

Get started with cnspec today.

How can I tell if my systems are affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The table at the end of this article lists operating systems and their default OpenSSL versions. That can give you a rough idea of what you're facing. But to fully understand the impact on your environment, take an asset inventory of OpenSSL versions used in your environment.

But how can I take a complete inventory across all the different types of assets in my multi-cloud or hybrid cloud environment?

Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about installed packages on your assets, including container images, VMs, bare-metal servers… everything.

If you have not yet installed cnquery, follow our instructions. Once you've installed, you can gather information about installed packages from a container image:

packages.where(name == /ssl/)
Screenshot1

We added a specific OpenSSL incident response query pack to gather this data quickly. You can validate container images, running containers, virtual machines, and the local machine.

To inspect a container image, run:

$ cnquery scan container ubuntu:22.04 --querypack mondoo-openssl-incident-response
Screenshot2

You can apply the same approach remotely using ssh:

cnquery scan ssh user@host --querypack mondoo-openssl-incident-response

If you need to gather information from a running AWS EC2 instance, just use our EC2 Instance Connect provider:

cnquery scan aws ec2 instance-connect ec2-user@i-1234567890abcdef0 --querypack mondoo-openssl-incident-response
Screenshot3

If you use Ansible to manage your instances, just run this command to quickly identify the OpenSSL version. Create or use an existing hosts file:

# Linux Hosts
[mondoo_linux_clients]
104.198.161.240 ansible_user=chris

cnquery understands the inventory format and uses it directly to run the query pack against all targets.

ansible-inventory -i hosts.ini --list | cnquery  scan --inventory-file - --inventory-ansible --insecure --querypack mondoo-openssl-incident-response

Once I find assets affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786), how do I apply patches?

To update the vulnerable OpenSSL version using a shell, enter the command below that matches your operating system. 

For Debian and Ubuntu:

apt update && apt --only-upgrade install -y libssl3

For Red Hat:

dnf update openssl-libs

If you're using Ansible to update the vulnerable OpenSSL package, use the values below that match your operating system.

For Debian and Ubuntu:

---
  - hosts: 
    tasks:
      - name: Update OpenSSL package for Debian-based OS
        ansible.builtin.apt:
          name: libssl3
          state: latest
          update_cache: yes
	    only_upgrade: yes
        become: yes

For Red Hat:

---
 - hosts: 
   tasks:
     - name: Update OpenSSL package for Red Hat-based OS
       ansible.builtin.dnf:
         name: openssl-libs
         state: latest
         update_only: yes
       become: yes

How can I ensure that no new installations affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786) ever go to production?

Once you've patched all the identified systems, you want to make sure that no new systems use the affected versions of OpenSSL. We added a new OpenSSL Security Policy to cnspec that validates that all packages are not affected. 

If you have not yet installed cnspec, follow our instructions.

cnspec enforces the correct settings through controls that use MQL queries.  This query allows you to verify that the affected version is not used:

packages.where(name == /ssl/).all( version != /3.0.[0123456]/ )

The full policy is available on Github.

cnspec scan local

Screenshot4

It is also possible to scan for vulnerable packages on a system using the vulnerability policy. All you need to do is  register a free account on mondoo.com, register the cnspec client, and run the following commands:

cnspec login –token ‘insert token here’
cnspec vuln container ubuntu:22.04

cnspec vuln ubuntu

Which operating systems are affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)? 

OpenSSL releases from 3.0.0 to 3.0.6 are affected, impacting all releases after September 2021. We’ve pulled together a running list of common Operating Systems that ship with OpenSSL as of November 1, 2022:

Operating system

Default version

Affected?

AlmaLinux 8

1.1.1k-7.el8_6

no

AlmaLinux 9

3.0.1-41.el9_0

yes, VMs and container

Alpine 3.16

1.1.1q-r0

no

Alpine Edge

3.0.5-r3

yes, default container images do not ship with OpenSSL, therefore it only affects container images that added it explicitly

Amazon Linux 2

1.0.2k-24.amzn2

no

Amazon Linux 2022

3.0.5-1.amzn2022

yes, VMs and container

Arch Linux

1.1.1.q-1

no

CentOS 7

1.0.2k-19.el7

no, but the centos 7 container image is deprecated, and should be replaced with AlmaLinux, Rocky Linux, or Red Hat Enterprise Linux (RHEL)  

CentOS 8

1.1.1g-15.el8_3

no, but at end-of-Life, switch to AlmaLinux, Rocky Linux ,or Red Hat Enterprise Linux (RHEL)

CentOS 8 Stream

1.1.1k-7.el8_6

no

CentOS 9 Stream

3.0.1-41.el9

yes

Debian 10

1.1.1n-0+deb10u3

no, containers do not include it by default; VMs ship the unaffected 1.x

Debian 11

1.1.1n-0+deb11u3

no

Deepin

1.1.1d.6-1

no

Fedora 34

1.1.1l-2.fc34

no

Fedora 35

1.1.1l-2.fc35

no

Fedora 36

3.0.2-4.fc36

yes

Kali 2022.3

3.0.4-2

yes

Linux Mint 21 Vanessa

3.0.2-0ubuntu1.6

yes

Linux Mint 20.3 Una

1.1.1f-1ubuntu2.16

no

Linux Mint 19.3 Tricia

1.1.0g-2ubuntu4

no

Manjaro

1.1.1q

no

openSUSE Leap 15.4

1.1.1l-150400.7.10.5

no

openSUSE Tumbleweed

3.0.5-2.1

yes

Oracle Linux 7

1.0.2k-25.el7

no

Oracle Linux 8

1.1.1k-7.el8

no

Oracle Linux 9

3.0.1-41.0.1.el9

yes, including container images

Pop!_OS

3.0.2-0ubuntu1.6

 

Red Hat Enterprise Linux (RHEL) 6

1.0.1e-57.el6

no, but it is end of life and should be migrated to a newer system

Red Hat Enterprise Linux (RHEL) 7

1.0.2k-19.el7

no, but is on maintenance support and an upgrade should be planned

Red Hat Enterprise Linux (RHEL) 8

1.1.1k-7.el8_6

no

Red Hat Enterprise Linux (RHEL) 9

3.0.1-41.el9_0

yes, is also included in the UBI standard and minimal container images

Rocky Linux 8

1.1.1k-6.el8_5

no

Rocky Linux 9

3.0.1-41.el9_0

yes, including container images

SUSE Linux Enterprise Server 12 SP5

1.0.2p-1.13

no

SUSE Linux Enterprise Server 15 SP4

1.1.0i-3.3.1

no

Ubuntu 20.04

1.1.1f-1ubuntu2.16

no, container does not ship with openssl as default

Ubuntu 22.04

3.0.2-0ubuntu1.6

yes, also included in default base container image

Ubuntu 22.10

3.0.5-2ubuntu1

yes, but not included in container images


Is macOS affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The news is mostly good for users of macOS (including the latest macOS release, Ventura). macOS does not ship with OpenSSL by default; it instead uses the LibreSSL library, which is not affected by this vulnerability. You can easily check which version of OpenSSL your Mac is using by opening the Terminal and running the command openssl version.

openssl version
LibreSSL 2.8.3

We recommend that you configure your system (in System Preferences) to apply high security patches. This check is included in our default MacOS Security by Mondoo policy, which cnspec runs by default. Simply open a terminal on your Mac and run the following command:

cnspec scan local

OpenSSL may be installed by other package managers like Homebrew and MacPorts, so update any packages you manage with those tools to ensure you are pulling in the latest versions.

Is Windows affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

By default, Windows does not ship with OpenSSL, but any Linux installation running in Windows Subsystem for Linux (WSL) may be affected. 

Is OpenSSH affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The OpenSSH project itself switched to the OpenSSL fork LibreSSH and is not affected.

Get started with cnspec today.

avatar

Christoph Hartmann

Christoph Hartmann, co-founder and CTO at Mondoo, wants to make the world more secure. He’s long been a leader in security engineering and DevOps, creating widely adopted solutions like Dev-Sec.io and InSpec. For fun, he builds everything from custom operating systems to autonomous Lego Mindstorm robots.
view raw