Recently, OpenSSL posted a blog post on CVE-2022-3786 and CVE-2022-3602. If you haven't read it, read it. TL;DR? Don't install OpenSSL < 3.0.0 < 3.0.7.
What I want to do is illustrate a few easy commands to determine what OpenSSL version you are running and evaluate what your exposure is here.
Node
To which OpenSSL version your application is using with NodeJS:
# node -e 'console.log(process.versions)' | grep openssl
openssl: '1.1.1l+quic',
Python
To which OpenSSL version your application is using with Python:
# python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.1.1i 8 Dec 2020
Ruby
To which OpenSSL version your application is using with Ruby:
# curl -Lks 'https://git.io/rg-ssl' | ruby
Here's your Ruby and OpenSSL environment:
Ruby: 3.0.2p107 (2021-07-07 revision 0db68f023372b634603c74fca94588b457be084c) [x86_64-linux]
RubyGems: 3.2.22
Bundler: 2.2.22
Compiled with: OpenSSL 1.1.1d 10 Sep 2019
Loaded version: OpenSSL 1.1.1d 10 Sep 2019
SSL_CERT_FILE: /usr/lib/ssl/cert.pem
SSL_CERT_DIR: /usr/lib/ssl/certs
With that out of the way, let's see if you can connect to rubygems.org...
Bundler connection to rubygems.org: success ✅
RubyGems connection to rubygems.org: success ✅
Ruby net/http connection to rubygems.org: success ✅
Hooray! This Ruby can connect to rubygems.org. You are all set to use Bundler and RubyGems. 👌
OpenSSL CLI is Installed
This is an easy one. If the CLI is installed, you can just ask it directly.
$ openssl version
OpenSSL 1.1.1n 15 Mar 2022