By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

OpenSSL v3 vulnerability: Are all ECS-optimized AMIs affected or just the Amazon Linux 2022 based ones?

0

https://aws.amazon.com/security/security-bulletins/AWS-2022-008/ says

Customers utilizing Amazon Linux 2022, Bottlerocket OS or ECS-optimized Amazon Machine Images (AMIs) on Amazon ECS should read the instructions below.

Which sounds like all ECS-optimized AMIs are affected. However, the recommendation is:

we recommend that ECS customers update the version of OpenSSL 3.0 via DNF configuration.

To my understanding, DNF is only available on Amazon Linux 2022.

Checking the version of openssl in one of our instances that run an Amazon Linux 2 based ECS-optimized AMI, I get:

sh-4.2$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

Can I consider Amazon Linux 2 based ECS-optimized AMIs to be unaffected by CVE-2022-3602 and CVE-2022-3786?

Topics
ContainersAWS Well-Architected Framework
Tags
Amazon Elastic Container ServiceSecurity
Language
English
rePost-User-5069736
asked a year ago297 views
1 Answer
0
Accepted Answer

Thank you for the detailed description.

Yes, ECS-optimized Amazon Linux 2 AMI is not affected as OpenSSL 3.0 is not shipped in this version, as also per your openssl version command output and this quote Amazon Linux 2 do not ship with OpenSSL 3.0 and are not affected by these issues from https://aws.amazon.com/security/security-bulletins/AWS-2022-008/.

AWS
weidi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content