Home / mailings [RHSA-2022:7384-01] Critical: openssl-container security update
Posted on 03 November 2022
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Critical: openssl-container security update
Advisory ID: RHSA-2022:7384-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7384
Issue date: 2022-11-02
CVE Names: CVE-2022-3602 CVE-2022-3786
=====================================================================
1. Summary:
An update for openssl-container is now available for Red Hat Enterprise
Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
The ubi9/openssl image provides provides an openssl command-line tool for
using the various functions of the OpenSSL crypto library. Using the
OpenSSL tool, you can generate private keys, create certificate signing
requests (CSRs), and display certificate information.
This updates the ubi9/openssl image in the Red Hat Container Registry.
To pull this container image, run one of the following commands:
podman pull registry.redhat.io/rhel9/openssl (authenticated)
podman pull registry.access.redhat.com/ubi9/openssl (unauthenticated)
Security Fix(es):
* OpenSSL: X.509 Email Address Buffer Overflow (CVE-2022-3602)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted.
4. Bugs fixed (https://bugzilla.redhat.com/):
2134869 - rebuild of openssl-container 9.0
2137723 - CVE-2022-3602 OpenSSL: X.509 Email Address Buffer Overflow
5. References:
https://access.redhat.com/security/cve/CVE-2022-3602
https://access.redhat.com/security/cve/CVE-2022-3786
https://access.redhat.com/security/updates/classification/#critical
https://catalog.redhat.com/software/containers/search
https://access.redhat.com/security/vulnerabilities/RHSB-2022-004
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.