The big news this week is that a new CRITICAL OpenSSL vulnerability will be announced on November 1st, 2022. Critical-severity OpenSSL vulnerabilities don’t come along every day – the last was CVE-2016-6309, which ended up only affecting a single version of the software. The more famous vulnerability, known as Heartbleed, came out in 2014. Will this be more like Heartbleed or the vulnerability in 2016? We will soon find out.
To see how Sysdig Secure can help you prepare to patch the vulnerability, see this blog post.
The only concrete information available is that the new vulnerability only affects the 3.0.x versions of OpenSSL. Everyone still running the 1.1.1 versions should be safe, this time. Knowing that, you can actually get some idea of what the impact in your environment might be. The ISC Storm Center posted a blog on common Linux distributions and which version of OpenSSL comes installed by default.
However, their blog post doesn’t cover the most common container base images. According to the 2022 Sysdig Cloud and Container Usage Report, they are RHEL, Alpine, and Debian. We spun up the images from Docker Hub and checked if they had OpenSSL by default, and if not, what would you get if you installed OpenSSL from the package manager. We also checked some of the most common application images.
| Image Name | Version Installed by Default | Package Manager Version |
|---|---|---|
| rhel/ubi8 | N/A | 1.1.1k |
| alpine | N/A | 1.1.1q |
| ubuntu (22.04) | N/A | 3.0.2 |
| debian | N/A | 1.1.1n |
| nginx | 1.1.1n | N/A |
| mysql | 1.1.1k | N/A |
| nodejs | 3.0.5 (static) | N/A |
| centos | N/A | 1.1.k |
| amazonlinux | N/A | 1.0.2k |
| postgres | N/A | 1.1.1n |
| mongo | 1.1.1f | N/A |
| redis | N/A | 1.1.1n |
| rabbitmq | 1.1.1q | N/A |
Summary of OpenSSL vulnerability
The good news is that the OS container images don’t tend to have OpenSSL installed by default. It’s not surprising as it is good form to keep container images as minimal as possible. Most of the default package manager installs also don’t use OpenSSL 3.0.x. Application images, as we see, are much more likely to have a version of OpenSSL installed.
There is also a lot of version drift with applications and OpenSSL versions!
When the details about the CVE come out, proper vulnerability management processes should be followed. Hopefully, this article gave you some idea of what the impact might be on your container environment. When more details about the CVE are released, we will release another post going into more detail about how the OpenSSL vulnerability works and the risks it poses.
If you want to know more about What is a Vulnerability: