SFTP Gateway Support

3.0

OpenSSLv3 Vulnerability

Overview

A high level vulnerability for OpenSSL v3 emerged November 1, 2022.

It's not clear if this even impacts SFTP Gateway v3. But you can run OS updates to get the latest patch.

Am I affected

The OpenSSLv3 vulnerability affects OpenSSL 3.0.0 - 3.0.6. OpenSSL 3.0.7 is a release that fixes the issue. See https://ubuntu.com/security/CVE-2022-3602

It's questionable whether SFTP Gateway is affected, because the vulnerability relates to X.509 which OpenSSH and the SFTP protocol do not use.

To determine your version of OpenSSL, run the following command:

sudo su
apt list openssl

You will see the following output, which in this case is 3.0.2:

Listing... Done
openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.6 amd64 [installed,automatic]

If you are running OpenSSL v1, you are not affected.

Note: The version of OpenSSL does not always correlate with the minor version of SFTP Gateway v3. This is because many customers may have run the in-place upgrade, and still be on the older Ubuntu 20.04 (OpenSSL v1).

How to remediate

Run the following commands to update the OS:

sudo apt update
sudo apt upgrade

Then, re-run this command:

apt list openssl

You should see the following output:

Listing... Done
openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.7 amd64 [installed,automatic]

You'll notice that 3.0.2-0ubuntu1.6 has changed to 3.0.2-0ubuntu1.7. This 1.7 package includes the patch to the CVE. See https://askubuntu.com/questions/1438582/how-to-install-openssl-3-0-7-on-ubuntu-22-04

Note: OpenSSL will still show version 3.0.2, and not 3.0.7. What's important to focus on here is the 1.7 package version which contains the patch.

PreviousNext