Trying to patch a vulnerability and understand OpenSSL versions in Amazon Linux 2

0

Hello, A vulnerability scan on our EC2 instance is revealing it is susceptible to CVE-2022-1292 an so I am trying to patch it to keep it secure. My currently installed version of OpenSSL is

openssl.x86_64 1:1.0.2k-24.amzn2.0.4 @amzn2-core

This is the newest available version of the openssl package in the yum repository, but (from the linked CVE page): "[The vulnerability is] Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd)." meaning I am a few versions behind where I need to be.

How can I reconcile this? Thanks.

1 Respuesta
0

Hi there

Please take a look at this answer

https://repost.aws/questions/QUaugGX-qTQAGlNnaQil5zig/is-open-ssl-1-0-2-k-updated

From the Amazon Linux 2 FAQ (https://aws.amazon.com/amazon-linux-2/faqs/)

Q. What is included in the Long Term Support for Amazon Linux 2?

Long-term support for Amazon Linux 2 only applies to core packages and includes:
1) AWS will provide security updates and bug fixes for all packages in core until June 30, 2024.

From https://alas.aws.amazon.com/AL2/ALAS-2022-1801.html: The latest package for addressing (CVE-2022-1292) is openssl-1.0.2k-24.amzn2.0.3.x86_64

profile pictureAWS
EXPERTO
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas