Source |
Vuln AWS |
Identifiant |
8296118 |
Date de publication |
2022-11-01 17:39:26 (vue: 2022-12-30 21:12:45) |
Titre |
OpenSSL Security Advisories - November 2022 |
Texte |
Initial Publication Date: 2022/11/01 09:00 PDT
AWS is aware of the recently reported issues regarding OpenSSL 3.0 (CVE-2022-3602 and CVE-2022-3786). AWS services are not affected, and no customer action is required. Additionally, Amazon Linux 1 and Amazon Linux 2 do not ship with OpenSSL 3.0 and are not affected by these issues. Customers utilizing Amazon Linux 2022, Bottlerocket OS or ECS-optimized Amazon Machine Images (AMIs) on Amazon ECS should read the instructions below.
As a security best practice, we encourage customers who manage environments containing OpenSSL 3.0 to update to the latest version, available at https://www.openssl.org/source/ or via their operating system's software update mechanism.
Amazon Linux 2022
We will release an updated version of OpenSSL 3.0 to the Amazon Linux 2022 repositories shortly. Once available, customers testing the preview release of Amazon Linux 2022 should upgrade to the patched version of OpenSSL 3.0. Updated Amazon Linux 2022 AMIs will also be available shortly.
More information is available in the Amazon Linux Security Center: https://alas.aws.amazon.com/alas2022.html
Amazon Elastic Container Service
Amazon ECS will release updated ECS-optimized Amazon Machine Images (AMIs) containing mitigations for these issues shortly. More information about the ECS-optimized AMI is available at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html.
Meanwhile, we recommend that ECS customers who use the preview release of the ECS-optimized Amazon Linux 2022 AMI update the version of OpenSSL 3.0 via DNF configuration. More information is available at https://docs.aws.amazon.com/linux/al2022/ug/managing-repos-os-updates.html.
Bottlerocket OS
While Bottlerocket OS itself is not affected by these issues, we will shortly release a patched version of the Bottlerocket Update Operator solution containing the latest version of OpenSSL 3.0. Customers using the preview versions of the Bottlerocket Update Operator should upgrade to the new 1.0.0 version when it is available. We expect version 1.0.0 to be available no later than November 2, 2022.
Information about the Bottlerocket Update Operator is available at https://github.com/bottlerocket-os/bottlerocket-update-operator and security advisories may be found at https://github.com/bottlerocket-os/bottlerocket-update-operator/security/advisories. |
Envoyé |
Oui |
Condensat |
09:00 2022 2022/11/01 3602 3786 about action additionally advisories affected also amazon ami amis and are available aware aws below best bottlerocket center: com/alas2022 com/amazonecs/latest/developerguide/ecs com/bottlerocket com/linux/al2022/ug/managing configuration container containing customer customers cve date: dnf ecs elastic encourage environments expect for found html https://alas https://docs https://github https://www images information initial instructions issues itself later latest linux machine manage may mechanism mitigations more new not november once openssl operating operator operator/security/advisories optimized org/source/ os/bottlerocket patched pdt practice preview publication read recently recommend regarding release reported repos repositories required security service services ship shortly should software solution system testing than that the their these update updated updates upgrade use using utilizing version versions via when while who will with amazon bottlerocket meanwhile |
Tags |
|
Stories |
|
Notes |
★★
|
Move |
|