‍

The OpenSSL Project issued rare high vulnerabilities, CVE-2022-3602 and CVE-2022-3786. These vulnerabilities are in OpenSSL versions 3.0.0 through 3.0.6.

How can I tell if my systems are affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The table at the end of this article lists operating systems and their default OpenSSL versions. That can give you a rough idea of what you're facing. But to fully understand the impact on your environment, take an asset inventory of OpenSSL versions used in your environment.

But how can I take a complete inventory across all the different types of assets in my multi-cloud or hybrid cloud environment?

Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about installed packages on your assets, including container images, VMs, bare-metal servers… everything.

If you have not yet installed cnquery, follow our instructions. Once you've installed, you can gather information about installed packages from a container image:

packages.where(name == /ssl/)

We added a specific OpenSSL incident response query pack to gather this data quickly. You can validate container images, running containers, virtual machines, and the local machine.

To inspect a container image, run:

$ cnquery scan container ubuntu:22.04 --querypack mondoo-openssl-incident-response

‍

You can apply the same approach remotely using ssh:

cnquery scan ssh user@host --querypack mondoo-openssl-incident-response

If you need to gather information from a running AWS EC2 instance, just use our EC2 Instance Connect provider:

cnquery scan aws ec2 instance-connect ec2-user@i-1234567890abcdef0 --querypack mondoo-openssl-incident-response

‍

If you use Ansible to manage your instances, just run this command to quickly identify the OpenSSL version. Create or use an existing hosts file:

# Linux Hosts
[mondoo_linux_clients]
104.198.161.240 ansible_user=chris

cnquery understands the inventory format and uses it directly to run the query pack against all targets.

ansible-inventory -i hosts.ini --list | cnquery  scan --inventory-file - --inventory-ansible --insecure --querypack mondoo-openssl-incident-response

Once I find assets affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786), how do I apply patches?

To update the vulnerable OpenSSL version using a shell, enter the command below that matches your operating system.

For Debian and Ubuntu:

apt update && apt --only-upgrade install -y libssl3

For Red Hat:

dnf update openssl-libs

If you're using Ansible to update the vulnerable OpenSSL package, use the values below that match your operating system.

For Debian and Ubuntu:

---
  - hosts: 
    tasks:
      - name: Update OpenSSL package for Debian-based OS
        ansible.builtin.apt:
          name: libssl3
          state: latest
          update_cache: yes
	    only_upgrade: yes
        become: yes

For Red Hat:

---
 - hosts: 
   tasks:
     - name: Update OpenSSL package for Red Hat-based OS
       ansible.builtin.dnf:
         name: openssl-libs
         state: latest
         update_only: yes
       become: yes

How can I ensure that no new installations affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786) ever go to production?

Once you've patched all the identified systems, you want to make sure that no new systems use the affected versions of OpenSSL. We added a new OpenSSL Security Policy to cnspec that validates that all packages are not affected.

If you have not yet installed cnspec, follow our instructions.

cnspec enforces the correct settings through controls that use MQL queries.  This query allows you to verify that the affected version is not used:

packages.where(name == /ssl/).all( version != /3.0.[0123456]/ )

The full policy is available on Github.

cnspec scan local

It is also possible to scan for vulnerable packages on a system using the vulnerability policy. All you need to do is  register a free account on mondoo.com, register the cnspec client, and run the following commands:

cnspec login –token ‘insert token here’

cnspec vuln container ubuntu:22.04

‍‍


Which operating systems are affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

OpenSSL releases from 3.0.0 to 3.0.6 are affected, impacting all releases after September 2021. We’ve pulled together a running list of common Operating Systems that ship with OpenSSL as of November 1, 2022:

Is macOS affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The news is mostly good for users of macOS (including the latest macOS release, Ventura). macOS does not ship with OpenSSL by default; it instead uses the LibreSSL library, which is not affected by this vulnerability. You can easily check which version of OpenSSL your Mac is using by opening the Terminal and running the command openssl version.‍

openssl version
LibreSSL 2.8.3

We recommend that you configure your system (in System Preferences) to apply high security patches. This check is included in our default MacOS Security by Mondoo policy, which cnspec runs by default. Simply open a terminal on your Mac and run the following command:

cnspec scan local

OpenSSL may be installed by other package managers like Homebrew and MacPorts, so update any packages you manage with those tools to ensure you are pulling in the latest versions.

Is Windows affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

By default, Windows does not ship with OpenSSL, but any Linux installation running in Windows Subsystem for Linux (WSL) may be affected.

Is OpenSSH affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The OpenSSH project itself switched to the OpenSSL fork LibreSSH and is not affected.

‍