Guidance for OpenSSL Vulnerability Disclosures (02/07/23)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L6 Presenter
No ratings

Advisory:

Guidance for OpenSSL Vulnerability Disclosures (02/07/23)

CVE-2022-4304
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286

 

Affected version: Impacts all versions of OpenSSL 1.1.1 (installed default version on Ubuntu 20 is 1.1.1f-1ubuntu2.16)

 

Diagnosis

Execute below two commands to check the version of openssl and libssl1.1:

 

apt list --installed | grep openssl/focal-updates
apt list --installed | grep libssl1.1

if the output showing version less than 1.1.1f-1ubuntu2.17 amd64 , you will need to perform the steps to upgrade the openssl and libssl1.1

 

Solution

In Expedition CLI execute below commands:

 

  1. Update the package index:
    sudo apt-get update
  2. Install deb lib packages:
    sudo apt-get install openssl
    sudo apt-get install libssl1.1
  3. Check packages are installed
    apt list --installed | grep openssl/focal-updates
    Expected output: openssl/focal-updates,focal-security,now 1.1.1f-1ubuntu2.17 amd64 [installed]
    apt list --installed | grep libssl1.1
    Expected output: libssl1.1/focal-updates,focal-security,now 1.1.1f-1ubuntu2.17 amd64 [installed,automatic]
Rate this article:
Comments
L0 Member

Hi Lychiang,

 

May I know if this is the remediation/workaround for the abovementioned CVEs?

I checked Palo Alto advisories as well but there is no mention of this as this is still an ongoing investigation.

Also, what about these CVEs?

 

- CVE-2022-4203
- CVE-2023-0216
- CVE-2023-0217
- CVE-2023-0401

L6 Presenter

@Johnson_Tan Yes this article is to address the mentioned CVE:

CVE-2022-4304
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286

 

Regarding the CVEs you mentioned, there is no fix from openssl yet. 

  • 4190 Views
  • 2 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎02-13-2023 10:47 AM
Updated by: