AWS-2022-008
Initial Publication Date: 2022/11/01 09:00 PDT AWS is aware of the recently reported issues regarding OpenSSL 3.0 (CVE-2022-3602 and CVE-2022-3786). AWS services are not affected, and no customer action is required. Additionally, Amazon Linux 1 and Amazon Linux 2 do not ship with OpenSSL 3.0 and are not affected by these issues. Customers utilizing Amazon Linux 2022, Bottlerocket OS or ECS-optimized Amazon Machine Images (AMIs) on Amazon ECS should read the instructions below. As a security best practice, we encourage customers who manage environments containing OpenSSL 3.0 to update to the latest version, available at https://www.openssl.org/source/ or via their operating system’s software update mechanism. Amazon Linux 2022 We will release an updated version of OpenSSL 3.0 to the Amazon Linux 2022 repositories shortly. Once available, customers testing the preview release of Amazon Linux 2022 should upgrade to the patched version of OpenSSL 3.0. Updated Amazon Linux 2022 AMIs will also be available shortly. More information is available in the Amazon Linux Security Center: https://alas.aws.amazon.com/alas2022.html Amazon Elastic Container Service Amazon ECS will release upda…
Timeline
- Nov 1, 2022 CVE Published
References
- OpenSSL Security Advisories - November 2022 advisory
- https://www.openssl.org/source/ web
- https://alas.aws.amazon.com/alas2022.html web
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html web
- https://docs.aws.amazon.com/linux/al2022/ug/managing-repos-os-updates.html web
- https://github.com/bottlerocket-os/bottlerocket-update-operator web
- https://github.com/bottlerocket-os/bottlerocket-update-operator/security/advisories web