Alpine: openssl3: security update to 3.0.6-r0

high Tenable Self-Hosted Container Security Plugin ID 406168

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated
function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged
to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5
incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and
EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation
functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher
from the available providers. An equivalent cipher is found based on the NID passed to
EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is
possible for an application to incorrectly pass NID_undef as this value in the call to
EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation
function will match the NULL cipher as being equivalent and will fetch this from the available providers.
This will succeed if the default provider has been loaded (or if a third party provider has been loaded
that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext.
Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and
subsequently use it in a call to an encryption/decryption initialisation function. Applications that only
use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5). (CVE-2022-3358)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-3358

Plugin Details

Severity: High

ID: 406168

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.63

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2022-3358

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/29/2022

Reference Information

CVE: CVE-2022-3358

IAVA: 2022-A-0415