TPS-2022-003 CVE-2022-3602 OpenSSL 3.0

November 03, 2022

Overview

OpenSSL versions from 3.x through 3.0.7 (earlier than 3.0.7) has been found to be vulnerable to a vulnerability that can lead to crash or unexpected behavior.

SmartOS Platform Images 20211216 and later include OpenSSL 3. This affects the only the following components client applications when used from the platform image.

curl
wget
openldap

OpenSSL 3.0 is not yet included in any pkgsrc branch, so pkgsrc packages are unaffected. For LX, Docker, KVM, or BHYVE guests, follow the advisory of the guest operating system’s upstream vendor.

Triton services and API endpoints (e.g., CloudAPI) are unaffected.

Actions taken by Us

This issue has been fixed in the SmartOS platform image in OS-8417. Platform images including the associated commit (release-20221103 and later) have been fixed.

A new platform image is available in the release channel (20221103T001803Z), and updated SmartOS boot images are available in Manta.

Actions You Need to Take

Triton Operators

This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image.

sdcadm platform install -C release 20221103T001803Z
sdcadm platform assign 20221103T001803Z $(sdc-server lookup system_type=SunOS)

Once each compute node is rebooted, it can no longer be affected by this issue.

SmartOS stand-alone Users

Stand alone SmartOS servers should be rebooted to the appropriate image.

If you are using a bootable pool, you can install the updated image using piadm.

piadm install 20221103T001803Z
piadm activate 20221103T001803Z

Support

If you are a MNX customer and have any further questions or concerns after reading the information provided above, please contact MNX Support.

If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.