Guidance for OpenSSL Vulnerability Disclosures (02/07/23)

lychiang · ‎02-13-2023

Advisory:

CVE-2022-4304
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286

Affected version: Impacts all versions of OpenSSL 1.1.1 (installed default version on Ubuntu 20 is 1.1.1f-1ubuntu2.16)

Execute below two commands to check the version of openssl and libssl1.1:

apt list --installed | grep openssl/focal-updates
apt list --installed | grep libssl1.1

if the output showing version less than 1.1.1f-1ubuntu2.17 amd64 , you will need to perform the steps to upgrade the openssl and libssl1.1

In Expedition CLI execute below commands:

Update the package index:
sudo apt-get update
Install deb lib packages:
sudo apt-get install openssl
sudo apt-get install libssl1.1
Check packages are installed
apt list --installed | grep openssl/focal-updates
Expected output: openssl/focal-updates,focal-security,now 1.1.1f-1ubuntu2.17 amd64 [installed]
apt list --installed | grep libssl1.1
Expected output: libssl1.1/focal-updates,focal-security,now 1.1.1f-1ubuntu2.17 amd64 [installed,automatic]

Johnson_Tan · ‎02-16-2023

May I know if this is the remediation/workaround for the abovementioned CVEs?

I checked Palo Alto advisories as well but there is no mention of this as this is still an ongoing investigation.

Also, what about these CVEs?

- CVE-2022-4203
- CVE-2023-0216
- CVE-2023-0217
- CVE-2023-0401

lychiang · ‎02-16-2023

@Johnson_Tan Yes this article is to address the mentioned CVE:

CVE-2022-4304
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286

Regarding the CVEs you mentioned, there is no fix from openssl yet.