Hey Everyone,
This post is to provide some information on the “high” CVEs for OpenSSL and how it affects the images you might use on CircleCI. This post will be updated overtime as we gather new information.
Summary
In general, OpenSSL versions v3.0.0 - 3.0.6 are affected. OpenSSL v3.0.7 contains fixes for the two CVEs.
| Image Family | Image | Executor | Affected? | Patch Status |
|---|---|---|---|---|
| Android VM | Android | machine | no | n/a |
| cimg/aws | 2022.10.1 & before | docker | affected | in-progress |
| cimg/azure | 2022.10.1 & before | docker | affected | in-progress |
| cimg/base | 2022.10, current | docker | affected | complete: 2022.11, current |
| cimg/deploy | 2022.10.1 & before | docker | affected | complete: 2022.11.1 |
| cimg/gcp | 2022.10.1 & before | docker | affected | in-progress |
| cimg/go | last 30 days | docker | affected | complete |
| cimg/node | last 30 days | docker | affected | complete |
| cimg/openjdk | last 30 days | docker | affected | complete |
| cimg/php | last 30 days | docker | affected | complete |
| cimg/python | last 30 days | docker | affected | complete |
| cimg/* | not listed above | docker | no | n/a |
| CUDA Linux VM | any | machine | no | n/a |
| Ubuntu Linux VM | Ubuntu 20.04 | machine | no | n/a |
| Ubuntu Linux VM | Ubuntu 22.04 | machine | affected | complete: 2022.10.2 |
| Windows VM | Server 2019 | machine | no | n/a |
| Windows VM | Server 2022 | machine | no | n/a |
| Xcode VM | 13.1.0 onwards | macos | no | n/a |
Linux Images
Vulnerable Images
Our Ubuntu 22.04 images, or any images based on it, are affected. This includes the Ubuntu 22.04 VM images as well as Convenience Images (Docker) published in the last 30ish days. We will be patching all of these images. Stay tuned to the table above for progress.
How to check if my version is vulnerable?
Running openssl version is not the best way to check on Ubuntu specifically due to them backporting the security fixes to v3.0.2 instead of pulling in the latest release. Instead, you can run the following and check the package version for OpenSSL (the spaces are on purpose):
dpkg -l | grep " openssl "
On Ubuntu 22.04, the patched package version should be 3.0.2-0ubuntu1.7 or newer. Older versions of Ubuntu, which are not affected, would have a version containing 1.1.1.
How to manually update
If you don’t want to wait for our patched images to be released, or if there’s another reason you may have, you can update the version of OpenSSL yourself in a CircleCI job, ideally as the first step. It would look like this:
steps:
- run: sudo apt-get update && sudo apt-get install -y openssl
macOS
Xcode images from 13.1.0 onward had an affected version OpenSSL 3.x installed via brew. However, this version was not set as a default. Since OpenSSL v3 wasn’t a dependency for any other installed packages, we have now removed OpenSSL v3 from our current Xcode images.
If OpenSSL v3 is specifically required for your workload, you can reinstall it during your job, ideally as the first step. It would look like this:
steps:
- run: brew install openssl@3
Windows
Our Windows images are not affected by these CVEs.
Resources
- OpenSSL’s post of these CVEs: /news/vulnerabilities.html
- OpenSSL versions in Ubuntu: openssl package : Ubuntu
- Docker blog post: Security Advisory: High Severity OpenSSL Vulnerabilities - Docker