OpenSSL v3 vulnerability: Are all ECS-optimized AMIs affected or just the Amazon Linux 2022 based ones?

Question

https://aws.amazon.com/security/security-bulletins/AWS-2022-008/
says
> Customers utilizing Amazon Linux 2022, Bottlerocket OS or ECS-optimized Amazon Machine Images (AMIs) on Amazon ECS should read the instructions below.

Which sounds like all ECS-optimized AMIs are affected. However, the recommendation is:

>  we recommend that ECS customers update the version of OpenSSL 3.0 via DNF configuration.

To my understanding, [DNF is only available on Amazon Linux 2022](https://docs.aws.amazon.com/linux/al2022/ug/package-management.html).

Checking the version of openssl in one of our instances that run an Amazon Linux 2 based ECS-optimized AMI, I get:

```
sh-4.2$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
```

Can I consider Amazon Linux 2 based ECS-optimized AMIs to be unaffected by CVE-2022-3602 and CVE-2022-3786?

Accepted Answer

Thank you for the detailed description.

Yes, ECS-optimized Amazon Linux 2 AMI is not affected as OpenSSL 3.0 is not shipped in this version, as also per your `openssl version` command output and this quote `Amazon Linux 2 do not ship with OpenSSL 3.0 and are not affected by these issues` from https://aws.amazon.com/security/security-bulletins/AWS-2022-008/.

OpenSSL v3 vulnerability: Are all ECS-optimized AMIs affected or just the Amazon Linux 2022 based ones?

関連するコンテンツ