logo

Database

Security controls bypass or absence In bottlerocket/update-operator

Description

bottlerocket dependency openssl has a double free vulnerability A timing based side channel exists in the OpenSSL RSA decryption implementation which could enable a recovery of plaintext from across the network. This affects all RSA padding modes. A server agent compiled with OpenSSL could be made to give up plaintext payloads over the network, but this would require a large amount of malicious payloads from a third party actor as trial messages. OpenSSL removed in bottlerocket version 1.1.0 in favor of Rust-based TLS using rustls.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. OSV-GHSA-j859-pmrq-9q6c2. GHSA-j859-pmrq-9q6c3. GCVE-GHSA-j859-pmrq-9q6c

References

1. https://github.com/bottlerocket-os/bottlerocket-update-operator/security/advisories/GHSA-j859-pmrq-9q6c2. https://github.com/bottlerocket-os/bottlerocket-update-operator/releases/tag/v1.1.03. https://rustsec.org/advisories/RUSTSEC-2023-0007.html4. https://www.openssl.org/news/secadv/20230207.txt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.