Trying to patch a vulnerability and understand OpenSSL versions in Amazon Linux 2

Question

Hello, A vulnerability scan on our EC2 instance is revealing it is susceptible to [CVE-2022-1292](https://alas.aws.amazon.com/cve/html/CVE-2022-1292.html) an so I am trying to patch it to keep it secure. My currently installed version of OpenSSL is

openssl.x86_64                      1:1.0.2k-24.amzn2.0.4          @amzn2-core

This is the newest available version of the openssl package in the yum repository, but (from the linked CVE page): "[The vulnerability is] Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd)." meaning I am a few versions behind where I need to be.

How can I reconcile this? Thanks.

Answer

Hi there

Please take a look at this answer

https://repost.aws/questions/QUaugGX-qTQAGlNnaQil5zig/is-open-ssl-1-0-2-k-updated

From the Amazon Linux 2 FAQ (https://aws.amazon.com/amazon-linux-2/faqs/)

```
Q. What is included in the Long Term Support for Amazon Linux 2?

Long-term support for Amazon Linux 2 only applies to core packages and includes:
1) AWS will provide security updates and bug fixes for all packages in core until June 30, 2024.
```
From https://alas.aws.amazon.com/AL2/ALAS-2022-1801.html:
The latest package for addressing (CVE-2022-1292) is
`openssl-1.0.2k-24.amzn2.0.3.x86_64`

Trying to patch a vulnerability and understand OpenSSL versions in Amazon Linux 2

Relevant content