Vulnerable OpenSSL Version

  • Query id: 5fa731ea-e844-47a6-a1e8-abc25e95847e
  • Query name: Vulnerable OpenSSL Version
  • Platform: Dockerfile
  • Severity: High
  • Category: Supply-Chain
  • URL: Github

Description

OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
# basic example

FROM ubuntu
RUN wget -O- https://www.openssl.org/source/openssl-3.0.0.tar.gz
Positive test num. 2 - dockerfile file
# example with args usage

FROM ubuntu

ARG OPENSSL_VERSION=3.0.5

RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
Positive test num. 3 - dockerfile file
# example with args usage

FROM ubuntu

ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-3.0.4.tar.gz

RUN curl ${OPENSSL_SRC}

Positive test num. 4 - dockerfile file
# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL "https://www.openssl.org/source/openssl-3.0.3.tar.gz"

RUN apk update \
    && apk upgrade \
    && apk add make gcc

RUN yum -y install \
    && yum clean all \
    && wget ${OPENSSL3_URL}
Positive test num. 5 - dockerfile file
# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL=https://www.openssl.org/source/openssl-3.0.2.tar.gz

RUN apk update \
    && apk upgrade \
    && apk add make gcc

RUN yum -y install \
    && yum clean all \
    && wget $OPENSSL3_URL
Positive test num. 6 - dockerfile file
# simple usage

FROM ubuntu

RUN ["curl", "https://www.openssl.org/source/openssl-3.0.2.tar.gz"]
Positive test num. 7 - dockerfile file
# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-3.0.2.tar.gz"

RUN ["wget", "-O-", "${OPENSSL3_URL}"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
# basic example

FROM ubuntu
RUN wget -O- https://www.openssl.org/source/openssl-1.1.1h.tar.gz
Negative test num. 2 - dockerfile file
# example with args usage

FROM ubuntu

ARG OPENSSL_VERSION=1.1.1h

RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
Negative test num. 3 - dockerfile file
# example with args usage

FROM ubuntu

ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-1.1.1h.tar.gz

RUN curl ${OPENSSL_SRC}

Negative test num. 4 - dockerfile file
# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL  "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"

RUN apk update \
    && apk upgrade \
    && apk add make gcc

RUN yum -y install \
    && yum clean all \
    && wget ${OPENSSL3_URL}
Negative test num. 5 - dockerfile file
# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz"

RUN apk update \
    && apk upgrade \
    && apk add make gcc

RUN yum -y install \
    && yum clean all \
    && wget ${OPENSSL3_URL}
Negative test num. 6 - dockerfile file
# simple usage

FROM ubuntu

RUN ["curl", "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"]
Negative test num. 7 - dockerfile file
# example with envs usage

FROM ubuntu

ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz"

RUN ["curl", "${OPENSSL3_URL}"]