I would like to inquire how linkerd will move forward with the OpenSSL dependency, now that OpenSSL 1.1.1 has reached EoL (link) with the latest 1.1.1w release on Sept 11, 2023.
The reason is that our vulnerability scans report the following CVE’s in linkerd-proxy/OpenSSL 1.1.1w (e.g., in v2.14.3):
CVE-2021-3711
CVE-2022-2068
CVE-2022-1292
I found some statements regarding OpenSSL vulnerabilities on the linkerd blog, but these don’t seem to address the ones mentioned in our vulnerability reports: https://buoyant.io/tags/linkerd-updates
The version of OpenSSL that ships with linkerd-proxy is inherited from the distroless base image but it is not used at all by the application. The linkerd proxy exclusively uses rustls.
The linkerd policy controller in stable-2.14 links against OpenSSL 1.1.1 for use in its Kubernetes client. We have planned to update this for stable-2.15; and in fact I’ll put up a PR for that bump now
The policy controller so far escaped from my attention, because I could not generate an SBOM based on the container image yet using syft (strangely it’s reporting 0 packages), so really thanks for confirming the update of the OpenSSL dependency.
