CVE-2022-2068 is a critical vulnerability in OpenSSL (version 3.0.2) that affects TMC due to its inclusion in upstream Velero. The vulnerability is present in the Velero image necessitating an upstream fix before it can be addressed within TMC:

velero-v1-13-2@sha256:31bfc18771d3981e2ad13b0f219bbf3053653d4f1d3e19e501bd02e9d71eef45

VMware Tanzu Mission Control

TMC utilizes Velero for backup and recovery operations, and this vulnerability exists within Velero's OpenSSL dependency. The affected OpenSSL version (3.0.2) has been identified as vulnerable, and this exposure extends to TMC through Velero’s upstream components.

We are working with Velero to remediate this issue. The vulnerability will be addressed in TMC once the upstream Velero components have been patched.

• Affected Component: /usr/bin/openssl (OpenSSL 3.0.2)
• Fixed Version (Upstream): OpenSSL 1.0.2zf (Pending Velero update)
• TMC Deployment: The fix will be incorporated once Velero releases an updated version with the necessary patch.

Until the upstream fix is available, we recommend monitoring this KB for updates and applying security best practices to mitigate potential risks.

https://nvd.nist.gov/vuln/detail/CVE-2022-2068 

Subscribe to this knowledge article to get updates on this issue.