Hi Team,
We see OpenSSL 1.0.2x CVEs with the bundled libs from ovftool 4.4.3,
[root@test-server admin]# ovftool --version
VMware ovftool 4.4.3 (build-18663434)
[root@test-server admin]# strings /usr/lib/vmware-ovftool/libcrypto.so.1.0.2 | grep -m 1 "OpenSSL 1.0.2"
OpenSSL 1.0.2za-fips 24 Aug 2021
When doing Nessus scan, we noticed the below CVEs,
| CVE-2022-0778 | OpenSSL 1.0.2 < 1.0.2zd Vulnerability |
| CVE-2022-1292 | OpenSSL 1.0.2 < 1.0.2ze Vulnerability |
| CVE-2022-2068 | OpenSSL 1.0.2 < 1.0.2zf Vulnerability |
| CVE-2022-4304 | OpenSSL 1.0.2 < 1.0.2zg Multiple Vulnerabilities |
| CVE-2023-0215 | OpenSSL 1.0.2 < 1.0.2zg Multiple Vulnerabilities |
| CVE-2023-0286 | OpenSSL 1.0.2 < 1.0.2zg Multiple Vulnerabilities |
It seems the fix is upgrade to 1.0.2zg, which will address all these CVEs.
Do we have any fix/workaround for these CVEs in ovftool?
Regards,
Srini
