A high level vulnerability for OpenSSL v3 emerged November 1, 2022.
It's not clear if this even impacts SFTP Gateway v3. But you can run OS updates to get the latest patch.
Am I affected
The OpenSSLv3 vulnerability affects OpenSSL
3.0.7 is a release that fixes the issue. See https://ubuntu.com/security/CVE-2022-3602
It's questionable whether SFTP Gateway is affected, because the vulnerability relates to X.509 which OpenSSH and the SFTP protocol do not use.
To determine your version of OpenSSL, run the following command:
sudo su apt list openssl
You will see the following output, which in this case is
Listing... Done openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.6 amd64 [installed,automatic]
If you are running OpenSSL v1, you are not affected.
Note: The version of OpenSSL does not always correlate with the minor version of SFTP Gateway v3. This is because many customers may have run the in-place upgrade, and still be on the older Ubuntu 20.04 (OpenSSL v1).
How to remediate
Run the following commands to update the OS:
sudo apt update sudo apt upgrade
Then, re-run this command:
apt list openssl
You should see the following output:
Listing... Done openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.7 amd64 [installed,automatic]
You'll notice that
3.0.2-0ubuntu1.6 has changed to
1.7 package includes the patch to the CVE. See https://askubuntu.com/questions/1438582/how-to-install-openssl-3-0-7-on-ubuntu-22-04
Note: OpenSSL will still show version
3.0.2, and not
3.0.7. What's important to focus on here is the
1.7 package version which contains the patch.