Trying to patch a vulnerability and understand OpenSSL versions in Amazon Linux 2

0

Hello, A vulnerability scan on our EC2 instance is revealing it is susceptible to CVE-2022-1292 an so I am trying to patch it to keep it secure. My currently installed version of OpenSSL is

openssl.x86_64 1:1.0.2k-24.amzn2.0.4 @amzn2-core

This is the newest available version of the openssl package in the yum repository, but (from the linked CVE page): "[The vulnerability is] Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd)." meaning I am a few versions behind where I need to be.

How can I reconcile this? Thanks.

1 Answer
0

Hi there

Please take a look at this answer

https://repost.aws/questions/QUaugGX-qTQAGlNnaQil5zig/is-open-ssl-1-0-2-k-updated

From the Amazon Linux 2 FAQ (https://aws.amazon.com/amazon-linux-2/faqs/)

Q. What is included in the Long Term Support for Amazon Linux 2?

Long-term support for Amazon Linux 2 only applies to core packages and includes:
1) AWS will provide security updates and bug fixes for all packages in core until June 30, 2024.

From https://alas.aws.amazon.com/AL2/ALAS-2022-1801.html: The latest package for addressing (CVE-2022-1292) is openssl-1.0.2k-24.amzn2.0.3.x86_64

profile pictureAWS
EXPERT
Matt-B
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions