The OpenSSL Project issued rare high vulnerabilities, CVE-2022-3602 and CVE-2022-3786. These vulnerabilities are in OpenSSL versions 3.0.0 through 3.0.6.
How can I tell if my systems are affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?
The table at the end of this article lists operating systems and their default OpenSSL versions. That can give you a rough idea of what you're facing. But to fully understand the impact on your environment, take an asset inventory of OpenSSL versions used in your environment.
But how can I take a complete inventory across all the different types of assets in my multi-cloud or hybrid cloud environment?
Mondoo's GraphQL-based query language, MQL, allows you to quickly gather information about installed packages on your assets, including container images, VMs, bare-metal servers… everything.
If you have not yet installed cnquery, follow our instructions. Once you've installed, you can gather information about installed packages from a container image:
MQLpackages.where(name == /ssl/)
We added a specific OpenSSL incident response query pack to gather this data quickly. You can validate container images, running containers, virtual machines, and the local machine.
To inspect a container image, run:
Bashcnquery scan container ubuntu:22.04 --querypack mondoo-openssl-incident-response
You can apply the same approach remotely using ssh:
Bashcnquery scan ssh user@host --querypack mondoo-openssl-incident-response
If you need to gather information from a running AWS EC2 instance, just use our EC2 Instance Connect provider:
Bashcnquery scan aws ec2 instance-connect ec2-user@i-1234567890abcdef0 --querypack mondoo-openssl-incident-response
If you use Ansible to manage your instances, just run this command to quickly identify the OpenSSL version. Create or use an existing hosts file:
Bashansible-inventory -i hosts.ini --list | cnquery scan --inventory-file - --inventory-ansible --insecure --querypack mondoo-openssl-incident-response
cnquery understands the inventory format and uses it directly to run the query pack against all targets.
Once I find assets affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786), how do I apply patches?
To update the vulnerable OpenSSL version using a shell, enter the command below that matches your operating system.
For Debian and Ubuntu:
Bashapt update && apt --only-upgrade install -y libssl3
For Red Hat:
Bashdnf update openssl-libs
If you're using Ansible to update the vulnerable OpenSSL package, use the values below that match your operating system.
For Debian and Ubuntu:
YAML---- hosts: alltasks:- name: Update OpenSSL package for Debian-based OSansible.builtin.apt:name: libssl3state: latestupdate_cache: yesonly_upgrade: yesbecome: yes
For Red Hat:
YAML---- hosts: alltasks:- name: Update OpenSSL package for Red Hat-based OSansible.builtin.dnf:name: openssl-libsstate: latestbecome: yes
How can I ensure that no new installations affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786) ever go to production?
Once you've patched all the identified systems, you want to make sure that no new systems use the affected versions of OpenSSL. We added a new OpenSSL Security Policy to cnspec that validates that all packages are not affected.
If you have not yet installed cnspec, follow our instructions.
cnspec enforces the correct settings through controls that use MQL queries. This query allows you to verify that the affected version is not used:
MQLpackages.where(name == /ssl/).all( version != /3.0.[0123456]/ )
The full policy is available on GitHub.
Bashcnspec scan local
It is also possible to scan for vulnerable packages on a system using the vulnerability policy. All you need to do is register a free account on mondoo.com, register the cnspec client, and run the following commands:
Bashcnspec login --token 'insert token here'cnspec vuln container ubuntu:22.04
Which operating systems are affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?
OpenSSL releases from 3.0.0 to 3.0.6 are affected, impacting all releases after September 2021. We've pulled together a running list of common Operating Systems that ship with OpenSSL as of November 1, 2022:
| Operating system | Default version | Affected? |
|---|---|---|
| AlmaLinux 8 | 1.1.1k-7.el8_6 | not affected |
| AlmaLinux 9 | 3.0.1-41.el9_0 | yes, VMs and container |
| Alpine 3.16 | 1.1.1q-r0 | no |
| Alpine Edge | 3.0.5-r3 | yes, default container images do not ship with OpenSSL, therefore it only affects container images that added it explicitly |
| Amazon Linux 2 | 1.0.2k-24.amzn2 | no |
| Amazon Linux 2022 | 3.0.5-1.amzn2022 | yes, VMs and container |
| Arch Linux | 1.1.1.q-1 | no |
| CentOS 7 | 1.0.2k-19.el7 | no, but the centos 7 container image is deprecated, and should be replaced with AlmaLinux, Rocky Linux, or Red Hat Enterprise Linux (RHEL) |
| CentOS 8 | 1.1.1g-15.el8_3 | no, but at end-of-Life, switch to AlmaLinux, Rocky Linux ,or Red Hat Enterprise Linux (RHEL) |
| CentOS 8 Stream | 1.1.1k-7.el8_6 | no |
| CentOS 9 Stream | 3.0.1-41.el9 | yes |
| Debian 10 | 1.1.1n-0+deb10u3 | no, containers do not include it by default; VMs ship the unaffected 1.x |
| Debian 11 | 1.1.1n-0+deb11u3 | no |
| Deepin | 1.1.1d.6-1 | no |
| Fedora 34 | 1.1.1l-2.fc34 | no |
| Fedora 35 | 1.1.1l-2.fc35 | no |
| Fedora 36 | 3.0.2-4.fc36 | yes |
| Kali 2022.3 | 3.0.4-2 | yes |
| Linux Mint 21 Vanessa | 3.0.2-0ubuntu1.6 | yes |
| Linux Mint 20.3 Una | 1.1.1f-1ubuntu2.16 | no |
| Linux Mint 19.3 Tricia | 1.1.0g-2ubuntu4 | no |
| Manjaro | 1.1.1q | no |
| openSUSE Leap 15.4 | 1.1.1l-150400.7.10.5 | no |
| openSUSE Tumbleweed | 1.1.1q-2.1 | no |
| Oracle Linux 7 | 1.0.2k-25.el7 | no |
| Oracle Linux 8 | 1.1.1k-7.el8 | no |
| Oracle Linux 9 | 3.0.1-41.0.1.el9 | yes, including container images |
| Pop!_OS | 3.0.2-0ubuntu1.6 | yes |
| Red Hat Enterprise Linux (RHEL) 6 | 1.0.1e-57.el6 | no, but it is end of life and should be migrated to a newer system |
| Red Hat Enterprise Linux (RHEL) 7 | 1.0.2k-19.el7 | no, but is on maintenance support and an upgrade should be planned |
| Red Hat Enterprise Linux (RHEL) 8 | 1.1.1k-7.el8_6 | no |
| Red Hat Enterprise Linux (RHEL) 9 | 3.0.1-41.el9_0 | yes, is also included in the UBI standard and minimal container images |
| Rocky Linux 8 | 1.1.1k-6.el8_5 | no |
| Rocky Linux 9 | 3.0.1-41.el9_0 | yes, including container images |
| SUSE Linux Enterprise Server 12 SP5 | 1.0.2p-1.13 | no |
| SUSE Linux Enterprise Server 15 SP4 | 1.1.0i-3.3.1 | no |
| Ubuntu 20.04 | 1.1.1f-1ubuntu2.16 | no, container does not ship with openssl as default |
| Ubuntu 22.04 | 3.0.2-0ubuntu1.6 | yes, also included in default base container image |
| Ubuntu 22.10 | 3.0.5-2ubuntu1 | yes, but not included in container images |
Is macOS affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?
The news is mostly good for users of macOS (including the latest macOS release, Ventura). macOS does not ship with OpenSSL by default; it instead uses the LibreSSL library, which is not affected by this vulnerability. You can easily check which version of OpenSSL your Mac is using by opening the Terminal and running the command:
Bashopenssl version
We recommend that you configure your system (in System Preferences) to apply high security patches. This check is included in our default macOS Security by Mondoo policy, which cnspec runs by default. Simply open a terminal on your Mac and run the following command:
Bashcnspec scan local
OpenSSL may be installed by other package managers like Homebrew and MacPorts, so update any packages you manage with those tools to ensure you are pulling in the latest versions.
Is Windows affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?
By default, Windows does not ship with OpenSSL, but any Linux installation running in Windows Subsystem for Linux (WSL) may be affected.
Is OpenSSH affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?
The OpenSSH project itself switched to the OpenSSL fork LibreSSH and is not affected.
