forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mondoo-openssl-vulnerability.mql.yaml
143 lines (111 loc) · 4.96 KB
/
mondoo-openssl-vulnerability.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-openssl-vulnerability
name: OpenSSL Vulnerability Policy
version: 1.1.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: linux,unix
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
## Overview
OpenSSL Vulnerability Policy by Mondoo checks for vulnerable OpenSSL installation on Unix/ Linux system.
## Remote scan
Remote scans use native providers in cnspec to provide on demand scan results without the need to install any agents, or integration.
For a complete list of native providers run:
```bash
cnspec scan --help
```
### Scan a machine via ssh
Open a terminal and cnspec scan:
```bash
cnspec scan ssh [email protected] -i <ssh-key-file> -f mondoo-unix-openssl-vulnerability.mql.yaml
```
### Scan a container
```bash
cnspec scan container ubuntu:22.04 -f mondoo-unix-openssl-vulnerability.mql.yaml
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Unix OpenSSL
filters: asset.family.contains('unix')
checks:
- uid: mondoo-openssl-vulnerability
queries:
- uid: mondoo-openssl-vulnerability
title: Ensure vulnerable OpenSSL version 3.0.0 - 3.0.6 are not installed
impact: 100
mql: |
semver(package('openssl').version.find(/\d+\.\d+\.\d+/).first) < semver("3.0.0") ||
semver(package('openssl').version.find(/\d+\.\d+\.\d+/).first) > semver("3.0.6")
docs:
desc: |
The OpenSSL Project released a security fix (OpenSSL version 3.0.7) for a new-and-disclosed CVE-2022-3602 and CVE-2022-3786 on Tuesday, November 1, 2022. This CVE is categorized as "HIGH" and affects OpenSSL versions from 3.0.0 to 3.0.6.
OpenSSL [Issue severity](https://www.openssl.org/policies/general/security-policy.html):
This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.
OpenSSL is the most popular open source cryptography and SSL/TLS toolkit. It's used by most HTTPS websites and is the crucial mechanism to encrypt connections to servers. Since OpenSSL is so fundamental to our infrastructure, such a critical vulnerability represents a severe threat to a wide range of businesses and individuals.
[OpenSSL Security Advisory 2022-11-01](https://www.openssl.org/news/secadv/20221101.txt)
audit: |
__cnspec shell__
1. Open a terminal
2. Type `cnspec shell`
3. Run this query:
```mql
semver(package('openssl').version.find(/\d+\.\d+\.\d+/).first) < semver("3.0.0") ||
semver(package('openssl').version.find(/\d+\.\d+\.\d+/).first) > semver("3.0.6")
```
Example output
```mql
[failed] packages.all()
actual: [
0: package id = deb://libssl3/3.0.1-0ubuntu1/amd64
1: package id = deb://openssl/3.0.1-0ubuntu1/amd64
]
```
remediation: |
## Update via shell
Run this command to update the openssl version:
### Debian / Ubuntu
```bash
apt update && apt --only-upgrade install -y libssl3
```
### RHEL/Fedora/Amazon Linux and derivatives
```bash
dnf update openssl-libs
```
## Update via Ansible
### Debian / Ubuntu
```yaml
- hosts: <define hosts>
tasks:
- name: Update openssl package for Debian based OS
ansible.builtin.apt:
name: libssl3
state: latest
update_cache: yes
only_upgrade: yes
become: yes
```
### RHEL/Fedora/Amazon Linux and derivatives
```yaml
- hosts: <define hosts>
tasks:
- name: Update openssl package for Red Hat based OS
ansible.builtin.dnf:
name: openssl-libs
state: latest
update_only: yes
become: yes
```
refs:
- url: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
title: OpenSSL mailing list
- url: https://www.openssl.org/news/secadv/20221101.txt
title: OpenSSL Security Advisory [01 November 2022]