Vulnerable OpenSSL Version

• Query id: 5fa731ea-e844-47a6-a1e8-abc25e95847e
• Query name: Vulnerable OpenSSL Version
• Platform: Dockerfile
• Severity: High
• Category: Supply-Chain
• URL: Github

Description

OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - dockerfile file

# basic example

FROM ubuntu
RUN wget -O- https://www.openssl.org/source/openssl-3.0.0.tar.gz

Postitive test num. 2 - dockerfile file

# example with args usage

FROM ubuntu

ARG OPENSSL_VERSION=3.0.5

RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz

Postitive test num. 3 - dockerfile file

# example with args usage

FROM ubuntu

ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-3.0.4.tar.gz

RUN curl ${OPENSSL_SRC}

Postitive test num. 4 - dockerfile file

# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL "https://www.openssl.org/source/openssl-3.0.3.tar.gz"

RUN apk update \
    && apk upgrade \
    && apk add make gcc

RUN yum -y install \
    && yum clean all \
    && wget ${OPENSSL3_URL}

Postitive test num. 5 - dockerfile file

# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL=https://www.openssl.org/source/openssl-3.0.2.tar.gz

RUN apk update \
    && apk upgrade \
    && apk add make gcc

RUN yum -y install \
    && yum clean all \
    && wget $OPENSSL3_URL

Postitive test num. 6 - dockerfile file

# simple usage

FROM ubuntu

RUN ["curl", "https://www.openssl.org/source/openssl-3.0.2.tar.gz"]

Postitive test num. 7 - dockerfile file

# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-3.0.2.tar.gz"

RUN ["wget", "-O-", "${OPENSSL3_URL}"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

# basic example

FROM ubuntu
RUN wget -O- https://www.openssl.org/source/openssl-1.1.1h.tar.gz

Negative test num. 2 - dockerfile file

# example with args usage

FROM ubuntu

ARG OPENSSL_VERSION=1.1.1h

RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz

Negative test num. 3 - dockerfile file

# example with args usage

FROM ubuntu

ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-1.1.1h.tar.gz

RUN curl ${OPENSSL_SRC}

Negative test num. 4 - dockerfile file

# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL  "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"

RUN apk update \
    && apk upgrade \
    && apk add make gcc

RUN yum -y install \
    && yum clean all \
    && wget ${OPENSSL3_URL}

Negative test num. 5 - dockerfile file

# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz"

RUN apk update \
    && apk upgrade \
    && apk add make gcc

RUN yum -y install \
    && yum clean all \
    && wget ${OPENSSL3_URL}

Negative test num. 6 - dockerfile file

# simple usage

FROM ubuntu

RUN ["curl", "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"]

Negative test num. 7 - dockerfile file

# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz"

RUN ["curl", "${OPENSSL3_URL}"]