add CVE numbers to openssl policy (#68)

Signed-off-by: Patrick Münch <[email protected]>
mondoohq · Nov 1, 2022 · b9e1caf · b9e1caf
1 parent 9571dc9
commit b9e1caf
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/core/mondoo-openssl-vulnerability.mql.yaml b/core/mondoo-openssl-vulnerability.mql.yaml
@@ -51,14 +51,16 @@ queries:
     query: packages.where(name == /ssl/).all( version != /3.0.[0123456]/ )
     docs:
       desc: |
-        The OpenSSL Project released a security fix (OpenSSL version 3.0.7) for a new-and-disclosed CVE on Tuesday, November 1, 2022. This CVE is categorized as "CRITICAL" and affects OpenSSL versions from 3.0.0 to 3.0.6.
+        The OpenSSL Project released a security fix (OpenSSL version 3.0.7) for a new-and-disclosed CVE-2022-3602 and CVE-2022-3786 on Tuesday, November 1, 2022. This CVE is categorized as "HIGH" and affects OpenSSL versions from 3.0.0 to 3.0.6.
 
         OpenSSL [Issue severity](https://www.openssl.org/policies/general/security-policy.html):
 
-        This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.
+        This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.
 
         OpenSSL is the most popular open source cryptography and SSL/TLS toolkit. It's used by most HTTPS websites and is the crucial mechanism to encrypt connections to servers. Since OpenSSL is so fundamental to our infrastructure, such a critical vulnerability represents a severe threat to a wide range of businesses and individuals.
 
+        [OpenSSL Security Advisory 2022-11-01](https://www.openssl.org/news/secadv/20221101.txt)
+
       audit: |
         __cnspec shell__
 
@@ -127,3 +129,5 @@ queries:
     refs:
       - title: OpenSSL mailing list
         url: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
+      - title: OpenSSL Security Advisory [01 November 2022]
+        url: https://www.openssl.org/news/secadv/20221101.txt