By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Updating OpenSSL Version on Amazon Linux 2023 EC2 Instance

0

Hello AWS Community,

I'm new to AWS EC2 but have a background in Linux. I recently conducted a web security scan on my EC2 instance running Amazon Linux 2023 and discovered it's using OpenSSL version 3.0.8. According to the scan, this version is vulnerable (CVE-2023-4807 and several others), and I'm looking to update it to the latest supported version to mitigate this vulnerability.

I've attempted the following steps based on my Linux experience and AWS documentation:

  1. Ran openssl version to confirm the current version is indeed 3.0.8.
  2. Executed sudo yum update -y to apply all available system updates, but it didn't update OpenSSL.
  3. Tried sudo yum list --available openssl, which returned "No matching Packages to list," indicating no available updates for OpenSSL through the yum package manager.

Before proceeding with a manual update or compilation from source, which I understand could complicate future package management and potentially disrupt system dependencies, I wanted to seek advice from the community:

  • Is there an official or recommended approach to updating OpenSSL on Amazon Linux 2023 instances to address specific vulnerabilities like CVE-2023-4807?
  • Are there AWS or community resources that I might have overlooked in resolving this issue?

I appreciate any guidance or references you can provide to help ensure my EC2 instance remains secure.

Topics
ComputeAWS Well-Architected Framework
Tags
Amazon EC2SecurityAmazon Linux
Language
English
Anthony
asked 3 months ago1108 views
4 Answers
1

Thank you for the reply. But I’m not understanding. The page says that Amazon Linux is not affected. How can that be? Does Amazon somehow protect against the vulnerability besides simply updating OpenSSL to the latest version?

Anthony
answered 3 months ago
  • Mike_L EXPERT
    3 months ago

    I have updated my post. CVE seems to affect Windows only.

0

You can check Amazon Linux Security Center for CVEs that may affect Amazon Linux.

For CVE-2023-4807, the corresponding page is at https://explore.alas.aws.amazon.com/CVE-2023-4807.html As per that page

Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions

This affects Windows 64. Linux is not mentioned.

If you would like to report a vulnerability or have a security concern regarding AWS cloud services or open source projects, you can report it as per Vulnerability Reporting site.

AWS
EXPERT
Mike_L
answered 3 months ago
  • bubble29
    2 months ago

    I have the same question for CVE-2023-0464,CVE-2023-0465, CVE-2023-0466. This does impact Amazon Linux 2023 and when I run the command "dnf update openssl --releasever 2023.0.20230517" it says tha there is nothing to do. I would expect this becasue the server is patched to the latest version. I have applied all patches to the server and every update says that there is nothing to do. This is still failing the securty scan from a third party vendor

    $ sudo dnf update openssl --releasever 2023.0.20230517 Last metadata expiration check: 0:18:21 ago on Thu Feb 29 11:45:36 2024. Dependencies resolved. Nothing to do. Complete!

    $ openssl version OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

0

I believe AWS has backported the fix to openssl 3.0.8, therefore the specified update does include the fix even though the openssl version remains 3.0.8.

Tim Anderson
answered 23 days ago
0

The Amazon Linux Security Center at https://alas.aws.amazon.com/ shows the CVEs and when they were addressed.

And this link: https://aws.amazon.com/amazon-linux-2/faqs/#Amazon_Linux_Security explains the Linux backporting and security policy, and includes this line: "Security scanners that rely on versioning from a project’s authors sometimes won’t pick up that a given CVE fix has been applied in an older version"

Though to me the function of version numbers is defeated if changes from later versions are added to an old version, without changing the version number. It takes extra steps to determine what is fixed and what isn't.

JD
answered 5 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content