Vulnerabilities

High OpenSSL Vulnerabilities (CVE-2022-3602 & CVE-2022-3786): Find, Fix, and Enforce Through Open Source

Find the OpenSSL high vulnerabilities (CVE-2022-3602 and CVE-2022-3786) in your environment with Mondoo's new open source tools: cnquery and cnspec. With cnquery's cloud-native asset inventory capabilities, you can detect all instances of the vulnerabilities across your entire infrastructure. Apply the patch to all affected assets and then use cnspec to ensure that no installations with this vulnerability ever go to production again.

openssl

The OpenSSL Project issued rare high vulnerabilities, CVE-2022-3602 and CVE-2022-3786. These vulnerabilities are in OpenSSL versions 3.0.0 through 3.0.6.

How can I tell if my systems are affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The table at the end of this article lists operating systems and their default OpenSSL versions. That can give you a rough idea of what you're facing. But to fully understand the impact on your environment, take an asset inventory of OpenSSL versions used in your environment.

But how can I take a complete inventory across all the different types of assets in my multi-cloud or hybrid cloud environment?

Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about installed packages on your assets, including container images, VMs, bare-metal servers… everything.

If you have not yet installed cnquery, follow our instructions. Once you've installed, you can gather information about installed packages from a container image:

packages.where(name == /ssl/)
Screenshot1

We added a specific OpenSSL incident response query pack to gather this data quickly. You can validate container images, running containers, virtual machines, and the local machine.

To inspect a container image, run:

$ cnquery scan container ubuntu:22.04 --querypack mondoo-openssl-incident-response

Screenshot2

You can apply the same approach remotely using ssh:

cnquery scan ssh user@host --querypack mondoo-openssl-incident-response

If you need to gather information from a running AWS EC2 instance, just use our EC2 Instance Connect provider:

cnquery scan aws ec2 instance-connect ec2-user@i-1234567890abcdef0 --querypack mondoo-openssl-incident-response
Screenshot3

Find and fix the security risks that pose the biggest threat to your business.

If you use Ansible to manage your instances, just run this command to quickly identify the OpenSSL version. Create or use an existing hosts file:

# Linux Hosts
[mondoo_linux_clients]
104.198.161.240 ansible_user=chris

cnquery understands the inventory format and uses it directly to run the query pack against all targets.

ansible-inventory -i hosts.ini --list | cnquery  scan --inventory-file - --inventory-ansible --insecure --querypack mondoo-openssl-incident-response

Once I find assets affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786), how do I apply patches?

To update the vulnerable OpenSSL version using a shell, enter the command below that matches your operating system.

For Debian and Ubuntu:

apt update && apt --only-upgrade install -y libssl3

For Red Hat:

dnf update openssl-libs

If you're using Ansible to update the vulnerable OpenSSL package, use the values below that match your operating system.

For Debian and Ubuntu:

---
  - hosts: 
    tasks:
      - name: Update OpenSSL package for Debian-based OS
        ansible.builtin.apt:
          name: libssl3
          state: latest
          update_cache: yes
	    only_upgrade: yes
        become: yes

For Red Hat:

---
 - hosts: 
   tasks:
     - name: Update OpenSSL package for Red Hat-based OS
       ansible.builtin.dnf:
         name: openssl-libs
         state: latest
         update_only: yes
       become: yes

How can I ensure that no new installations affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786) ever go to production?

Once you've patched all the identified systems, you want to make sure that no new systems use the affected versions of OpenSSL. We added a new OpenSSL Security Policy to cnspec that validates that all packages are not affected.

If you have not yet installed cnspec, follow our instructions.

cnspec enforces the correct settings through controls that use MQL queries.  This query allows you to verify that the affected version is not used:

packages.where(name == /ssl/).all( version != /3.0.[0123456]/ )

The full policy is available on Github.

cnspec scan local

Screenshot4

It is also possible to scan for vulnerable packages on a system using the vulnerability policy. All you need to do is  register a free account on mondoo.com, register the cnspec client, and run the following commands:

cnspec login –token ‘insert token here’

cnspec vuln container ubuntu:22.04


cnspec vuln ubuntu

Which operating systems are affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

OpenSSL releases from 3.0.0 to 3.0.6 are affected, impacting all releases after September 2021. We’ve pulled together a running list of common Operating Systems that ship with OpenSSL as of November 1, 2022:

Operating systemDefault versionAffected?
AlmaLinux 81.1.1k-7.el8_6not affected
AlmaLinux 93.0.1-41.el9_0yes, VMs and container
Alpine 3.161.1.1q-r0no
Alpine Edge3.0.5-r3yes, default container images do not ship with OpenSSL, therefore it only affects container images that added it explicitly
Amazon Linux 21.0.2k-24.amzn2no
Amazon Linux 20223.0.5-1.amzn2022yes, VMs and container
Arch Linux1.1.1.q-1no
CentOS 71.0.2k-19.el7no, but the centos 7 container image is deprecated, and should be replaced with AlmaLinux, Rocky Linux, or Red Hat Enterprise Linux (RHEL)
CentOS 81.1.1g-15.el8_3no, but at end-of-Life, switch to AlmaLinux, Rocky Linux ,or Red Hat Enterprise Linux (RHEL)
CentOS 8 Stream1.1.1k-7.el8_6no
CentOS 9 Stream3.0.1-41.el9yes
Debian 101.1.1n-0+deb10u3no, containers do not include it by default; VMs ship the unaffected 1.x
Debian 111.1.1n-0+deb11u3no
Deepin1.1.1d.6-1no
Fedora 341.1.1l-2.fc34no
Fedora 351.1.1l-2.fc35no
Fedora 363.0.2-4.fc36yes
Kali 2022.33.0.4-2yes
Linux Mint 21 Vanessa3.0.2-0ubuntu1.6yes
Linux Mint 20.3 Una1.1.1f-1ubuntu2.16no
Linux Mint 19.3 Tricia1.1.0g-2ubuntu4no
Manjaro1.1.1qno
openSUSE Leap 15.41.1.1l-150400.7.10.5no
openSUSE Tumbleweed1.1.1q-2.1no
Oracle Linux 71.0.2k-25.el7no
Oracle Linux 81.1.1k-7.el8no
Oracle Linux 93.0.1-41.0.1.el9yes, including container images
Pop!_OS3.0.2-0ubuntu1.6
Red Hat Enterprise Linux (RHEL) 61.0.1e-57.el6no, but it is end of life and should be migrated to a newer system
Red Hat Enterprise Linux (RHEL) 71.0.2k-19.el7no, but is on maintenance support and an upgrade should be planned
Red Hat Enterprise Linux (RHEL) 81.1.1k-7.el8_6no
Red Hat Enterprise Linux (RHEL) 93.0.1-41.el9_0yes, is also included in the UBI standard and minimal container images
Rocky Linux 81.1.1k-6.el8_5no
Rocky Linux 93.0.1-41.el9_0yes, including container images
SUSE Linux Enterprise Server 12 SP51.0.2p-1.13no
SUSE Linux Enterprise Server 15 SP41.1.0i-3.3.1no
Ubuntu 20.041.1.1f-1ubuntu2.16no, container does not ship with openssl as default
Ubuntu 22.043.0.2-0ubuntu1.6yes, also included in default base container image
Ubuntu 22.103.0.5-2ubuntu1yes, but not included in container images


Is macOS affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The news is mostly good for users of macOS (including the latest macOS release, Ventura). macOS does not ship with OpenSSL by default; it instead uses the LibreSSL library, which is not affected by this vulnerability. You can easily check which version of OpenSSL your Mac is using by opening the Terminal and running the command openssl version.

openssl version
LibreSSL 2.8.3

We recommend that you configure your system (in System Preferences) to apply high security patches. This check is included in our default MacOS Security by Mondoo policy, which cnspec runs by default. Simply open a terminal on your Mac and run the following command:

cnspec scan local

OpenSSL may be installed by other package managers like Homebrew and MacPorts, so update any packages you manage with those tools to ensure you are pulling in the latest versions.

Is Windows affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

By default, Windows does not ship with OpenSSL, but any Linux installation running in Windows Subsystem for Linux (WSL) may be affected.

Is OpenSSH affected by the OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)?

The OpenSSH project itself switched to the OpenSSL fork LibreSSH and is not affected.

Christoph Hartmann

Christoph Hartmann, co-founder and CTO at Mondoo, wants to make the world more secure. He’s long been a leader in security engineering and DevOps, creating widely adopted solutions like Dev-Sec.io and InSpec. For fun, he builds everything from custom operating systems to autonomous Lego Mindstorm robots.

You might also like

Releases
Mondoo September 2024 Release Highlights
Releases
Mondoo August 2024 Release Highlights
Releases
Mondoo July 2024 Release Highlights