PowerCLI

 View Only
Back to discussions
Expand all | Collapse all

OpenSSL CVEs in ovftool 4.4.3

  • 1.  OpenSSL CVEs in ovftool 4.4.3

    Posted Mar 20, 2024 09:07 AM

    Hi Team,

    We see OpenSSL 1.0.2x CVEs with the bundled libs from ovftool 4.4.3,

    [root@test-server admin]# ovftool --version
    VMware ovftool 4.4.3 (build-18663434)

    [root@test-server admin]# strings /usr/lib/vmware-ovftool/libcrypto.so.1.0.2 | grep -m 1 "OpenSSL 1.0.2"
    OpenSSL 1.0.2za-fips 24 Aug 2021

    When doing Nessus scan, we noticed the below CVEs,

     

    CVE-2022-0778OpenSSL 1.0.2 < 1.0.2zd Vulnerability
    CVE-2022-1292OpenSSL 1.0.2 < 1.0.2ze Vulnerability
    CVE-2022-2068OpenSSL 1.0.2 < 1.0.2zf Vulnerability
    CVE-2022-4304OpenSSL 1.0.2 < 1.0.2zg Multiple Vulnerabilities
    CVE-2023-0215OpenSSL 1.0.2 < 1.0.2zg Multiple Vulnerabilities
    CVE-2023-0286OpenSSL 1.0.2 < 1.0.2zg Multiple Vulnerabilities

     

    It seems the fix is upgrade to 1.0.2zg, which will address all these CVEs.

    Do we have any fix/workaround for these CVEs in ovftool?

     

    Regards,

    Srini