Page 1 of 1

CVE-2022-1292

Posted: 2022/09/16 15:17:07
by szyman
Dear all,

We are using CentOS7 as a base image for our docker images.
We noticed two critical vulnerabilities related to OpenSSL, which is present in CentOS7: According to RedHat they are classified as moderate: Does the same (RedHat explanation) applies to CentOS as it is based on RedHat?

Best regards,

Re: CVE-2022-1292

Posted: 2022/09/16 17:41:14
by TrevorH

Code: Select all

[root@centos7 ~]# yum provides '*/c_rehash'
Loaded plugins: priorities
188 packages excluded due to repository priority protections
1:openssl-perl-1.0.2k-19.el7.x86_64 : Perl scripts provided with OpenSSL
Repo        : base
Matched from:
Filename    : /usr/bin/c_rehash
Do you have that package installed? And yes, CentOS 7 is a rebuild of RHEL 7 so the same explanation applies.

Re: CVE-2022-1292

Posted: 2022/09/19 11:30:37
by szyman
Hi TrevorH!

Thanks a lot for your response.
Very good hint :)

Vulnerability scanner detected that our installation is having the two mentioned above CVEs issues.
However after in depth analysis it looks like that OpenSSL-perl package seems to be NOT installed (I guess scanner was searching just for Openssl version):

Code: Select all

[root@27de976b2d39 bin]# yum provides '*/c_rehash'
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirrors.xtom.de
 * epel: mirrors.xtom.de
 * extras: ftp.uni-bayreuth.de
 * updates: mirror.init7.net
1:openssl-perl-1.0.2k-19.el7.x86_64 : Perl scripts provided with OpenSSL
Repo        : base
Matched from:
Filename    : /usr/bin/c_rehash
and

Code: Select all

[root@27de976b2d39 bin]# yum list installed | grep openssl
openssl-libs.x86_64                         1:1.0.2k-25.el7_9           @updates
so it looks like c_rehash is also not present (I also manually confirmed that in /usr/bin), therefore our installation is safe.
Am I right or do I missed sth obvious?