In February 2023, OpenSSL released a security advisory with a list of vulnerabilities that can potentially cause a risk.

The scope of this article is to assess impact on API Dev Portal 5.x "containers"

API Developer Portal 5.x

The following vulnerabilities (CVE) were publish in February 2023 OpenSSL security advisory

• CVE-2023-0215 - Use-after-free following BIO_new_NDEF
• CVE-2023-0216 - Invalid pointer dereference in d2i_PKCS7 functions
• CVE-2023-0217 - NULL dereference validating DSA public key
• CVE-2023-0286 - X.400 address type confusion in X.509 GeneralName
• CVE-2022-4203 - X.509 Name Constraints Read Buffer Overflow
• CVE-2022-4304 - Timing Oracle in RSA Decryption
• CVE-2023-0401 - NULL dereference during PKCS7 data verification
• CVE-2022-4450 - Double free after calling PEM_read_bio_ex 

Reference HERE

The Dev team completed their assessment. The CVEs reported in OpenSSL bulletin are NOT directly impacting Portal containers. 

You still need to patch the underlying OS system where Docker is installed if it runs a vulnerable version of OpenSSL.

For Portal OVA image OS provide by Broadcom: 

Run # sudo yum update

For OS installed and maintained by customer :

1. Determine version of OpenSSL currently installed in the system

2. Upgrade OpenSSL to a non-vulnerable version as directed by the vendor. 

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg