Description: OpenVPN Access Server uses the OpenSSL library that comes with the operating system, but CVE-2022-3786 and CVE-2022-3602 only affect OpenSSL 3. OpenSSL 3.0.7 fixed these vulnerabilities.
Many vendors chose to release a patch of their current OpenSSL 3 rather a new release using OpenSSL 3.0.7.
Is your Access Server on a Linux machine that's at risk?
Resolution: If your Linux operating system is Ubuntu 22 or Red Hat 9 (or equivalent Red Hat OS), you may be affected. Any other Linux flavors aren't affected.
Use the methods below to determine the OpenSSL 3 patch version on your Linux machine hosting Access Server.
Then, if needed, you can upgrade OpenSSL to 3.0.7 to resolve the security issue.
For Ubuntu 22, the Patch Package is "3.0.2-0ubuntu1.7"
For Red Hat 9 / CentOS 9 / Alma Linux 9 / Rocky Linux 9, the Patch Package is "3.0.1-43.el9"
For Ubuntu 22:
Run the command below to list the installed OpenSSL Package:
apt list -a openssl
In the first example output below, you can see Ubuntu 22 is running with OpenSSL package "3.0.2-0ubuntu1.6", hence the Linux machine is vulnerable.
root@Ubuntu22:~# apt list -a openssl
Listing... Done
openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.6 amd64 [installed,automatic]
openssl/jammy 3.0.2-0ubuntu1 amd64
In the second example output below, you can see Ubuntu 22 is running with OpenSSL package "3.0.2-0ubuntu1.7", hence the Linux machine is secure.
root@Ubuntu22:~# apt list -a openssl
Listing... Done
openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.7 amd64 [installed,automatic]
openssl/jammy 3.0.2-0ubuntu1 amd64
For Red Hat 9 / CentOS 9 / Alma Linux 9 / Rocky Linux 9:
The examples are with CentOS 9, but the below commands work for Red Hat 9 / Alma Linux 9 / Rocky Linux 9 with no issues.
Run the command below to list the OpenSSL package installed:
yum list --showduplicates openssl
In the first example output below, you can see CentOS 9 is running with OpenSSL package "3.0.1-14.el9", hence the Linux machine is vulnerable.
[root@CentOS9 ~]# yum list --showduplicates openssl
Last metadata expiration check: 0:00:54 ago on Wed 16 Nov 2022 07:07:08 PM UTC.
Installed Packages
openssl.x86_64 1:3.0.1-14.el9 @anaconda
Available Packages
openssl.x86_64 1:3.0.1-37.el9 baseos
openssl.x86_64 1:3.0.1-38.el9 baseos
openssl.x86_64 1:3.0.1-40.el9 baseos
openssl.x86_64 1:3.0.1-41.el9 baseos
openssl.x86_64 1:3.0.1-43.el9 baseos
In the second example output below, you can see CentOS is running with OpenSSL package "3.0.1-43.el9", hence the Linux machine is secure.
[root@cCentOS9 ~]# yum list --showduplicates openssl
DigitalOcean Droplet Agent 19 kB/s | 3.3 kB 00:00
Installed Packages
openssl.x86_64 1:3.0.1-43.el9 @baseos
Available Packages
openssl.x86_64 1:3.0.1-37.el9 baseos
openssl.x86_64 1:3.0.1-38.el9 baseos
openssl.x86_64 1:3.0.1-40.el9 baseos
openssl.x86_64 1:3.0.1-41.el9 baseos
openssl.x86_64 1:3.0.1-43.el9 baseos
If your Linux machine doesn't have the patch package installed, run the below update commands:
For Ubuntu 22:
apt -y update
apt -y upgrade
For Red Hat 9 / CentOS 9 / Alma Linux 9 / Rocky Linux 9:
yum -y check-update
yum -y update
We recommend you restart the system after installing the OpenSSL update to ensure that all processes use the new library. You can also restart services individually, but a system restart covers all services.
For more info, refer to OpenSSL 3 vulnerability (CVE-2022-3786 and CVE-2022-3602)
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.