OpenSSL 3.0 Critical CVE (CVE-2022-3602, CVE-2022-3786)

Posted November 1, 2022 by Thomas Kooi ‐ 2 min read

OpenSSL 3.0 Critical CVE Security Announcement (CVE-2022-3602 & CVE-2022-3786)

OpenSSL announced a Critical Security fix to be released on Tuesday November 1st. Avisi Cloud has performed a comprehensive audit and has established that the Avisi Cloud platform, including Avisi Managed Environments and our managed Kubernetes services, is not impacted by the OpenSSL 3.0 Critical CVE.

This includes the following CVE fixes:

Note that originally the openSSL project announced a single critical vulnerability, but this has since been split into two separate CVEs and classified as high. See also NCSC-NL/OpenSSL-2022 for a list of affected software.

Actions required

If you are making use of Kubernetes, you may need to perform a search through your Container images in order to determine if you are running OpenSSL 3.0 within any of the containers used in your cluster. You can do this for example by generating a Software bill of Materials (SBOM) using tools such as syft for each container image. We have included an example script file to scan a Kubernetes cluster.

Information

For more information about the CVE, see also the update from the NCSC, or any of the following sources:

Example Script with syft

Example script to use syft to scan your entire cluster:

#!/bin/bash

echo "Scanning images:"
for i in $(kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" | tr -s '[[:space:]]' '\n' | sort | uniq)
do
  echo "$i"
done

for i in $(kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" | tr -s '[[:space:]]' '\n' | sort | uniq)
do
  echo "syft $i"
  syft $i | grep ssl
done