Initial Publication Date: 2022/11/01 09:00 PDT

AWS is aware of the recently reported issues regarding OpenSSL 3.0 (CVE-2022-3602 and CVE-2022-3786). AWS services are not affected, and no customer action is required. Additionally, Amazon Linux 1 and Amazon Linux 2 do not ship with OpenSSL 3.0 and are not affected by these issues. Customers utilizing Amazon Linux 2022, Bottlerocket OS or ECS-optimized Amazon Machine Images (AMIs) on Amazon ECS should read the instructions below.

As a security best practice, we encourage customers who manage environments containing OpenSSL 3.0 to update to the latest version, available at or via their operating system’s software update mechanism.

Amazon Linux 2022

We will release an updated version of OpenSSL 3.0 to the Amazon Linux 2022 repositories shortly. Once available, customers testing the preview release of Amazon Linux 2022 should upgrade to the patched version of OpenSSL 3.0. Updated Amazon Linux 2022 AMIs will also be available shortly.

More information is available in the Amazon Linux Security Center:

​Amazon Elastic Container Service

Amazon ECS will release updated ECS-optimized Amazon Machine Images (AMIs) containing mitigations for these issues shortly. More information about the ECS-optimized AMI is available at

​Meanwhile, we recommend that ECS customers who use the preview release of the ECS-optimized Amazon Linux 2022 AMI update the version of OpenSSL 3.0 via DNF configuration. More information is available at

​Bottlerocket OS

While Bottlerocket OS itself is not affected by these issues, we will shortly release a patched version of the Bottlerocket Update Operator solution containing the latest version of OpenSSL 3.0. Customers using the preview versions of the Bottlerocket Update Operator should upgrade to the new 1.0.0 version when it is available. We expect version 1.0.0 to be available no later than November 2, 2022.

Information about the Bottlerocket Update Operator is available at and security advisories may be found at