OpenSSL 3.0 Critical CVE (CVE-2022-3602, CVE-2022-3786)

OpenSSL announced a Critical Security fix to be released on Tuesday November 1st. Avisi Cloud has performed a comprehensive audit and has established that the Avisi Cloud platform, including Avisi Managed Environments and our managed Kubernetes services, is not impacted by the OpenSSL 3.0 Critical CVE.

This includes the following CVE fixes:

• X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602). This causes a potential remote code execution for clients.
• X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786). This causes a potential denial of service.

Note that originally the openSSL project announced a single critical vulnerability, but this has since been split into two separate CVEs and classified as high. See also NCSC-NL/OpenSSL-2022 for a list of affected software.

Actions required

If you are making use of Kubernetes, you may need to perform a search through your Container images in order to determine if you are running OpenSSL 3.0 within any of the containers used in your cluster. You can do this for example by generating a Software bill of Materials (SBOM) using tools such as syft for each container image. We have included an example script file to scan a Kubernetes cluster.

Information

For more information about the CVE, see also the update from the NCSC, or any of the following sources:

• OpenSSL pre-announcement
• NCSC-NL/OpenSSL-2022

Example Script with syft

Example script to use syft to scan your entire cluster:

#!/bin/bash
 
echo "Scanning images:"
for i in $(kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" | tr -s '[[:space:]]' '\n' | sort | uniq)
do
  echo "$i"
done
 
for i in $(kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" | tr -s '[[:space:]]' '\n' | sort | uniq)
do
  echo "syft $i"
  syft $i | grep ssl
done