ncsc-nl / openssl-2022 Goto Github PK

Would be nice to automatically build a site (github.io?) with the software table but with filtering and sorting capabilities.

This is an FYI, I have created a PR in the Nuclei with a template to detect web servers with header information containing OpenSSL versions 3.0.0-3.0.6.

The pull request is here: projectdiscovery/nuclei-templates#6130

I will submit a PR to this repo if my template is accepted by the Nuclei team.

Harbor docker images are vulnerable since it uses VMWare Photon 4.0 as base image.

Ref: goharbor/harbor#17724

Deployments outside of Docker should not be impacted.

Vulnerable version range will most probably be <=2.6.1

Nationaal Cyber Security Centrum (NCSC-NL)

Should the cryptography lib from Python be included in this list?

https://github.com/pyca/cryptography

They link OpenSSL at build time, so some versions of the lib could be carrying a vulnerable version of OpenSSL.

They've upgraded the lib already, their version 38.0.3 includes OpenSSL 3.0.7: pyca/cryptography#7758

I think from 37.x.x to 38.0.2 all include a vulnerable OpenSSL

(I wasn't sure if/where a link might make sense, so feel free to close this once you've seen it!)

Just an offer to collaborate / cross reference as we discover things.

Here is where I am working:

https://www.techsolvency.com/story-so-far/cve-tbd-openssl-3.0.7-critical/