Initial Publication Date: 2022/11/01 09:00 PDT
AWS is aware of the recently reported issues regarding OpenSSL 3.0 (CVE-2022-3602 and CVE-2022-3786). AWS services are not affected, and no customer action is required. Additionally, Amazon Linux 1 and Amazon Linux 2 do not ship with OpenSSL 3.0 and are not affected by these issues. Customers utilizing Amazon Linux 2022, Bottlerocket OS or ECS-optimized Amazon Machine Images (AMIs) on Amazon ECS should read the instructions below.
As a security best practice, we encourage customers who manage environments containing OpenSSL 3.0 to update to the latest version, available at https://www.openssl.org/source/ or via their operating system’s software update mechanism.
Amazon Linux 2022
We will release an updated version of OpenSSL 3.0 to the Amazon Linux 2022 repositories shortly. Once available, customers testing the preview release of Amazon Linux 2022 should upgrade to the patched version of OpenSSL 3.0. Updated Amazon Linux 2022 AMIs will also be available shortly.
More information is available in the Amazon Linux Security Center: https://alas.aws.amazon.com/alas2022.html
Amazon Elastic Container Service
Amazon ECS will release updated ECS-optimized Amazon Machine Images (AMIs) containing mitigations for these issues shortly. More information about the ECS-optimized AMI is available at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html.
Meanwhile, we recommend that ECS customers who use the preview release of the ECS-optimized Amazon Linux 2022 AMI update the version of OpenSSL 3.0 via DNF configuration. More information is available at https://docs.aws.amazon.com/linux/al2022/ug/managing-repos-os-updates.html.
Bottlerocket OS
While Bottlerocket OS itself is not affected by these issues, we will shortly release a patched version of the Bottlerocket Update Operator solution containing the latest version of OpenSSL 3.0. Customers using the preview versions of the Bottlerocket Update Operator should upgrade to the new 1.0.0 version when it is available. We expect version 1.0.0 to be available no later than November 2, 2022.
Information about the Bottlerocket Update Operator is available at https://github.com/bottlerocket-os/bottlerocket-update-operator and security advisories may be found at https://github.com/bottlerocket-os/bottlerocket-update-operator/security/advisories.