Updating OpenSSL Version on Amazon Linux 2023 EC2 Instance

Question

Hello AWS Community,

I'm new to AWS EC2 but have a background in Linux. I recently conducted a web security scan on my EC2 instance running Amazon Linux 2023 and discovered it's using OpenSSL version 3.0.8. According to the scan, this version is vulnerable (CVE-2023-4807 and several others), and I'm looking to update it to the latest supported version to mitigate this vulnerability.

I've attempted the following steps based on my Linux experience and AWS documentation:

1. Ran `openssl version` to confirm the current version is indeed 3.0.8.
2. Executed `sudo yum update -y` to apply all available system updates, but it didn't update OpenSSL.
3. Tried sudo `yum list --available openssl`, which returned "No matching Packages to list," indicating no available updates for OpenSSL through the yum package manager.

Before proceeding with a manual update or compilation from source, which I understand could complicate future package management and potentially disrupt system dependencies, I wanted to seek advice from the community:

* Is there an official or recommended approach to updating OpenSSL on Amazon Linux 2023 instances to address specific vulnerabilities like CVE-2023-4807?
* Are there AWS or community resources that I might have overlooked in resolving this issue?

I appreciate any guidance or references you can provide to help ensure my EC2 instance remains secure.

Answer

Thank you for the reply. But I’m not understanding. The page says that Amazon Linux is not affected. How can that be? Does Amazon somehow protect against the vulnerability besides simply updating OpenSSL to the latest version?

Answer

The Amazon Linux Security Center at https://alas.aws.amazon.com/ shows the CVEs and when they were addressed.

And this link: https://aws.amazon.com/amazon-linux-2/faqs/#Amazon_Linux_Security explains the Linux backporting and security policy, and includes this line: "Security scanners that rely on versioning from a project’s authors sometimes won’t pick up that a given CVE fix has been applied in an older version"

Though to me the function of version numbers is defeated if changes from later versions are added to an old version, without changing the version number. It takes extra steps to determine what is fixed and what isn't.

Answer

You can check [Amazon Linux Security Center](https://explore.alas.aws.amazon.com/) for CVEs that may affect Amazon Linux.

For CVE-2023-4807, the corresponding page is at [https://explore.alas.aws.amazon.com/CVE-2023-4807.html](https://explore.alas.aws.amazon.com/CVE-2023-4807.html)
As per that page
```
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions
```
This affects Windows 64. Linux is not mentioned.

If you would like to report a vulnerability or have a security concern regarding AWS cloud services or open source projects, you can report it as per [Vulnerability Reporting](https://aws.amazon.com/security/vulnerability-reporting/) site.

Answer

I believe AWS has backported the fix to openssl 3.0.8, therefore the specified update does include the fix even though the openssl version remains 3.0.8.

Updating OpenSSL Version on Amazon Linux 2023 EC2 Instance

関連するコンテンツ