Security Advisory: Critical OpenSSL Vulnerability – Docker
What is it?
The OpenSSL Project will release a security fix (OpenSSL version 3.0.7) for a new-and-disclosed CVE on Tuesday, November 1, 2022. This CVE is categorized as “CRITICAL” and affects all OpenSSL versions after 3.0.
Docker estimates about 1,000 image repositories could be impacted across various Docker Official Images and Docker Verified Publisher images. This includes images that are based on versions of Debian 12, Ubuntu 22.04, and Redhat Enterprise Linux 9+ which install 3.x versions of OpenSSL.
We’re updating our users now so you can prepare to remediate any impacted images. We’ll also update this advisory as the OpenSSL Project releases more details next week.
Am I vulnerable?
While we’re waiting on the Project to release specific vulnerability details, you can still see if your public and private repositories are impacted. Docker created a placeholder for the OpenSSL CVE, which we’ll soon replace with the official CVE once it’s disclosed.
Like with Heartbleed, OpenSSL’s maintainers are being careful about what information they publicize until a fix arrives. However, you can act before this announcement. We’ve created a way to quickly and transparently analyze any image’s security flaws.
Visit Docker’s Image Vulnerability Database, navigate to the “Vulnerability search” tab, and search for the placeholder security advisory dubbed “DSA-2022-0001.” You can also use this tool to see other vulnerabilities as they’re discovered, receive updates to refresh outdated base images, and more:
Once we learn more about this vulnerability, you can take targeted steps to determine how vulnerable you are. We suggest using the docker scan
CLI command and Snyk’s Docker Hub Vulnerability Scanning tool. This will help detect the presence of vulnerable library versions and flag your image as vulnerable.
Alternatively, Docker is providing an experimental local tool to detect OpenSSL 3.x in Docker images. You can install this tool from its GitHub repository. Then, you can search your image for OpenSSL 3.x version with the following command:
$ docker-index cve --image [email protected]:1a6b42a0a86c9b62ee584f209a17d55a2c0c1eea14664829b2630f28d57f430d DSA-2022–0001
If the image contains a potentially vulnerable OpenSSL version, your terminal output will resemble the following:
WARNING Detected DSA-2022-0001 at
WARNING
WARNING pkg:deb/ubuntu/[email protected]?os_distro=jammy&os_name=ubuntu&os_version=22.04
WARNING
WARNING Instruction: /bin/sh -c #(nop) ADD file:ba96f963bbfd429a0839c40603fdd7829eaca58f20adfa0d15e6beae8244bc08 in /
WARNING Layer 0: sha256:301a8b74f71f85f3a31e9c7e7fedd5b001ead5bcf895bc2911c1d260e06bd987
And if Docker doesn’t detect a vulnerable version of OpenSSL in your image, you’ll see the following:
INFO DSA-2022-0001 not detected
Check back soon for more
As mentioned earlier, we’ll update this blog once the OpenSSL Project provides more vulnerability details. We also encourage you to sign up for our Early Access Program to access the tools discussed in this blog — plus share invaluable product feedback to help us improve!