Today, OpenSSL announced two new CVEs and mitigation recommendations. This blog provides guidance as to how you can identify the Open SSL vulnerability using Trivy. To both identify and mitigate the vulnerability, see this blog post Updated Security Advisory: New OpenSSL Vulnerabilities about mitigation with assurance policies in Aqua’s software supply chain solution.
If you have the OpenSSL package installed through your operating system package manager (e.g apt-get, yum, apk, etc), Trivy will detect it.
The following screenshot shows Trivy scanning the nginx container image which has some important OpenSSL related vulnerabilities. The latest OpenSSL vulnerability will be detected and displayed similarly. Note that to show only OpenSSL related vulnerabilities, we have used an optional Trivy filter that is dedicated for this search.
Now you have found the vulnerable package. But you will also need to find the package that needs to be upgraded.
The following shows the result of the same Trivy scan, this time with the --dependency-tree flag that detects the vulnerability and traces it to its origin packages. Trivy can reproduce the reverse dependency tree of the vulnerable package, essentially showing you the actual package that should be upgraded. Finding the vulnerable package is not enough because often it will be a dependency of another application you’ve installed. For example, nginx package might depend on openssl, and, in order to fix the issue, you would need to upgrade nginx and not openssl directly.
If your application uses the Conan package manager for C\C++, Trivy can find the installed package through the Conan lockfile.
The following shows Trivy scanning a code repository with OpenSSL 3.0.0 which has some important vulnerabilities. The new OpenSSL vulnerability will be detected and displayed similarly.
Some containers include applications that were installed without a package manager such as a Dockerfile that builds and copies the binary to the resulting container image.
When scanning such artifacts, any security scanner will have difficulty identifying the application and its dependencies. But Trivy has an innovative feature that can help. It is becoming increasingly common for developers to manage and declare their application’s dependencies proactively in a software bill of materials (SBOM) and store it in a common directory, such as Sigstore. In this case, Trivy will be able to identify the executable binary during the scan and discover its matching SBOM in Sigstore automatically! Learn more in the blog Trivy Can Now Scan Unpackaged Binary Files.
Trivy can be installed in Kubernetes using the Trivy Operator. Trivy Operator automatically scans all of your workloads and creates Kubernetes-native Custom Resources for informing you of vulnerability reports.
The following shows how you can check for OpenSSL related vulnerabilities across all workloads in cluster by examining the generated Vulnerability Reports. Note that the jq utility is used to filter only OpenSSL instances and to construct a report that includes only affected workloads:
Trivy is a quick way to immediately get a view into your exposure for the OpenSSL vulnerability. Visit the github page to get started today.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.