Trying to patch a vulnerability and understand OpenSSL versions in Amazon Linux 2

0

Hello, A vulnerability scan on our EC2 instance is revealing it is susceptible to CVE-2022-1292 an so I am trying to patch it to keep it secure. My currently installed version of OpenSSL is

openssl.x86_64 1:1.0.2k-24.amzn2.0.4 @amzn2-core

This is the newest available version of the openssl package in the yum repository, but (from the linked CVE page): "[The vulnerability is] Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd)." meaning I am a few versions behind where I need to be.

How can I reconcile this? Thanks.

1개 답변
0

Hi there

Please take a look at this answer

https://repost.aws/questions/QUaugGX-qTQAGlNnaQil5zig/is-open-ssl-1-0-2-k-updated

From the Amazon Linux 2 FAQ (https://aws.amazon.com/amazon-linux-2/faqs/)

Q. What is included in the Long Term Support for Amazon Linux 2?

Long-term support for Amazon Linux 2 only applies to core packages and includes:
1) AWS will provide security updates and bug fixes for all packages in core until June 30, 2024.

From https://alas.aws.amazon.com/AL2/ALAS-2022-1801.html: The latest package for addressing (CVE-2022-1292) is openssl-1.0.2k-24.amzn2.0.3.x86_64

profile pictureAWS
전문가
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠