CircleCI Images & OpenSSL CVE-2022-3602, CVE-2022-3786

Hey Everyone,

This post is to provide some information on the “high” CVEs for OpenSSL and how it affects the images you might use on CircleCI. This post will be updated overtime as we gather new information.

Summary

In general, OpenSSL versions v3.0.0 - 3.0.6 are affected. OpenSSL v3.0.7 contains fixes for the two CVEs.

Image Family Image Executor Affected? Patch Status
Android VM Android machine no n/a
cimg/aws 2022.10.1 & before docker affected in-progress
cimg/azure 2022.10.1 & before docker affected in-progress
cimg/base 2022.10, current docker affected complete: 2022.11, current
cimg/deploy 2022.10.1 & before docker affected complete: 2022.11.1
cimg/gcp 2022.10.1 & before docker affected in-progress
cimg/go last 30 days docker affected complete
cimg/node last 30 days docker affected complete
cimg/openjdk last 30 days docker affected complete
cimg/php last 30 days docker affected complete
cimg/python last 30 days docker affected complete
cimg/* not listed above docker no n/a
CUDA Linux VM any machine no n/a
Ubuntu Linux VM Ubuntu 20.04 machine no n/a
Ubuntu Linux VM Ubuntu 22.04 machine affected complete: 2022.10.2
Windows VM Server 2019 machine no n/a
Windows VM Server 2022 machine no n/a
Xcode VM 13.1.0 onwards macos no n/a

Linux Images

Vulnerable Images

Our Ubuntu 22.04 images, or any images based on it, are affected. This includes the Ubuntu 22.04 VM images as well as Convenience Images (Docker) published in the last 30ish days. We will be patching all of these images. Stay tuned to the table above for progress.

How to check if my version is vulnerable?

Running openssl version is not the best way to check on Ubuntu specifically due to them backporting the security fixes to v3.0.2 instead of pulling in the latest release. Instead, you can run the following and check the package version for OpenSSL (the spaces are on purpose):

dpkg -l | grep " openssl "

On Ubuntu 22.04, the patched package version should be 3.0.2-0ubuntu1.7 or newer. Older versions of Ubuntu, which are not affected, would have a version containing 1.1.1.

How to manually update

If you don’t want to wait for our patched images to be released, or if there’s another reason you may have, you can update the version of OpenSSL yourself in a CircleCI job, ideally as the first step. It would look like this:

    steps:
      - run: sudo apt-get update && sudo apt-get install -y openssl

macOS

Xcode images from 13.1.0 onward had an affected version OpenSSL 3.x installed via brew. However, this version was not set as a default. Since OpenSSL v3 wasn’t a dependency for any other installed packages, we have now removed OpenSSL v3 from our current Xcode images.

If OpenSSL v3 is specifically required for your workload, you can reinstall it during your job, ideally as the first step. It would look like this:

    steps:
      - run: brew install openssl@3

Windows

Our Windows images are not affected by these CVEs.

Resources

2 Likes