TPS-2023-003 OpenSSL Multiple CVEs

Overview

OpenSSL has released an [advisory for multiple CVEs].

This affects the only the following components client applications when used from the platform image.

  • curl
  • wget
  • openldap
  • node.js (as used by imgadm)

Pkgsrc packages

Triton services and API endpoints (e.g., CloudAPI) are unaffected.

Actions taken by Us

This issue has been fixed in the SmartOS platform image in OS-8442. Platform images including the associated commit (release-20220209 and later) have been fixed.

A new platform image is available in the release channel (20230209T001143Z), and updated SmartOS boot images are available in Manta.

Actions You Need to Take

Triton Operators

This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image.

sdcadm platform install -C release 20230209T001143Z
sdcadm platform assign 20230209T001143Z $(sdc-server lookup system_type=SunOS)

Once each compute node is rebooted, it can no longer be affected by this issue.

SmartOS stand-alone Users

Stand alone SmartOS servers should be rebooted to the appropriate image.

If you are using a bootable pool, you can install the updated image using piadm.

piadm install 20230209T001143Z
piadm activate 20230209T001143Z

Support

If you are a MNX customer and have any further questions or concerns after reading the information provided above, please contact MNX Support.

If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.

References