On November 1st, 2022, OpenSSL announced a pair of High Severity vulnerabilities in version 3.0.0-3.0.6 of OpenSSL. The vulnerability is a buffer overflow that requires a very specific set of circumstances to be exploited. In some cases there is a possibility of remote code execution. However, it is important to note:
This occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.
Since this requires either a misconfiguration of an OpenSSL server or the use of a CA-issued certificate to be abused, it is unlikely that most systems will be vulnerable to this attack. Additionally, buffer overflow protection in many operating systems will mitigate the vulnerability.
To quote Rapid7’s blog:
For both scenarios, these kinds of attacks do not lend themselves well to widespread exploitation.
Despite the low chance of exploitation, it is recommended that users update to the latest versions of containers that contain the patch. Fairwinds Insights, a Kubernetes governance platform can help identify vulnerabilities in any container images.
Identifying where you are vulnerable in Fairwinds Insights is easy:
Navigate to the Vulnerabilities page
Click the All Images tab
Enter CVE-2022-3602 into the search box, then press Enter
A list of affected images will appear in the table
If you are interested in learning how Fairwinds Insights auto-scans for container vulnerabilities, get in touch.