Fix for High Risk OpenSSL Security Vulnerabilities Announced – Guidance for vcpkg Users

Augustin Popa

OpenSSL.org announced the release of OpenSSL 3.0.7 to address two security vulnerabilities rated as high risk. This patch is now available, including via vcpkg. The vulnerabilities impact users of OpenSSL 3.0.0 – 3.0.6. If you are relying on a version of OpenSSL in this range, it is strongly recommended to upgrade to 3.0.7 as soon as possible. We also recommend reviewing Microsoft Security Response Center’s central blog post on awareness and guidance related to these two CVEs: Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) – Microsoft Security Response Center.

If you are a vcpkg user or port author depending on the OpenSSL vcpkg port, below are instructions on how to upgrade to the new version.

vcpkg users: check if you are using a vulnerable version of OpenSSL

WARNING: It is possible that OpenSSL is a part of your dependency graph even if your project does not directly depend on it. This is because other vcpkg ports may transitively depend on OpenSSL and thus vcpkg will install it for you. For example, users of the Azure C++ SDK port transitively depend on OpenSSL and should verify the version of OpenSSL installed on their system.

There are several methods that can help you identify the version of OpenSSL installed by vcpkg (if it exists), depending on your scenario:

1. If you install your libraries via the command line, use vcpkg list openssl​ to list all installed versions of OpenSSL.
2. If you use a vcpkg.json manifest that installs dependencies during your build, use vcpkg install --dry-run​ to list the versions of every library that will be installed.
3. Finally, you can also directly verify the installed version of OpenSSL from an installed tree by looking at the version macros in the header “openssl/opensslv.h“.
   • These are the macros, denoting the major, minor, and patch versions (3.0.5 in this case):
   • # define OPENSSL_VERSION_MAJOR 3
   • # define OPENSSL_VERSION_MINOR 0
   • # define OPENSSL_VERSION_PATCH 5

If you find that you are using a vulnerable version of OpenSSL, read on to find out how to upgrade.

Classic Mode (Command Line) Users

If you are consuming vcpkg dependencies and don’t use a vcpkg.json manifest, you are using classic mode, which involves running commands of the nature vcpkg install <library_name>. To get the latest version of OpenSSL, you have several options. Pick the one that works best for you:

Classic Mode Option 1: Upgrade all dependencies at once

If you are using classic mode and are okay with updating all your vcpkg dependencies at once, the fastest solution is to update your local copy of the vcpkg git repo to a newer version. Just open a terminal to your copy of vcpkg and run the following commands:

git fetch https://github.com/microsoft/vcpkg 09adfdc8cdad76345b7cc7f3305899e1cbd66297
git checkout 09adfdc8cdad76345b7cc7f3305899e1cbd66297
vcpkg upgrade
vcpkg upgrade --no-dry-run

Notes:

• 09adfdc8cdad76345b7cc7f3305899e1cbd66297 is a vcpkg commit ID containing the patched version of OpenSSL. You can also use a newer commit ID than this.
• After running the git checkout line with that commit ID, you should see HEAD is now at 09adfdc8c [OpenSSL] Update to 3.0.7. (#27594)
• After running vcpkg upgrade, you should see that OpenSSL will be updated to 3.0.7, along with other affected dependencies.
• The last line with --no-dry-run will update your dependencies for real.
• If you are not bothered about which commit to update to, you can just run a general git pull to get the very latest version of vcpkg and skip having to provide a commit ID altogether. You will still need to run vcpkg upgrade after.

Classic Mode Option 2: Update your local OpenSSL port files to the new version

If you want to update just OpenSSL and nothing else, open a terminal to your copy of vcpkg and run the following commands:

git fetch https://github.com/microsoft/vcpkg 09adfdc8cdad76345b7cc7f3305899e1cbd66297
git checkout 09adfdc8cdad76345b7cc7f3305899e1cbd66297 -- ports/openssl
vcpkg upgrade
vcpkg upgrade --no-dry-run

Notes:

• 09adfdc8cdad76345b7cc7f3305899e1cbd66297 is a vcpkg commit ID containing the patched version of OpenSSL. You can also use a newer commit ID than this.
• In contrast to the previous example, this approach lets you update just the OpenSSL portion of the vcpkg repo while leaving everything else alone.
• After running vcpkg upgrade, you should see that OpenSSL will be updated to 3.0.7, along with other affected dependencies.
• The last line with --no-dry-run will update your dependencies for real.

This approach will only update the OpenSSL port, but keep in mind that future general git fetches on the repo will apply a new commit ID globally, so you’ll need to make sure you don’t accidentally pull a version of OpenSSL within the 3.0.0 – 3.0.6 range.

Manifest Mode Users

If you are consuming vcpkg dependencies via a manifest file (recommended for any advanced users and professional projects), you just need to update your vcpkg.json file to set a different OpenSSL version.

Manifest Mode Option 1: Upgrade all dependencies at once

In general, we recommend updating all open-source dependencies at once rather than one at a time since that allows you to benefit from vcpkg’s version conflict resolution to avoid things like diamond dependencies in your dependency graph.

If this works for you, open a terminal to your vcpkg install location and run the following command:

git pull origin 09adfdc8cdad76345b7cc7f3305899e1cbd66297

Then (still in your terminal), navigate to your project containing the vcpkg.json, and run:

vcpkg x-update-baseline

You can git pull to a newer commit ID if you prefer (or just not specify a commit ID and get the latest), but the commit ID in the example above is the earlier one with the patch applied.

The x-update-baseline command moves your registry baseline forward to the baseline set for the vcpkg repo. This is why you must run git pull on the main repo to sync it to the baseline you need.

You can alternatively go into your vcpkg.json and vcpkg-configuration.json files to set baselines manually if you’re having trouble running x-update-baseline:

Example with baseline field

vcpkg.json:
{
    "name": "example",
    "version": "1.0.0",
    "dependencies": [
        "curl"
    ]
}

vcpkg-configuration.json:
{
    "default-registry": {
        "kind": "git",
        "baseline": "09adfdc8cdad76345b7cc7f3305899e1cbd66297",
        "repository": "https://github.com/microsoft/vcpkg"
    }
}

The baseline field is used when the registry location is defined in a separate vcpkg-configuration.json file. This is common for custom registries, though you can configure the public registry this way as well. If you just want to use the default registry and don’t have it separately configured in vcpkg-configuration.json, follow the next example instead using the builtin-baseline field.

Example with builtin-baseline field

vcpkg.json:
{
    "name": "example",
    "version": "1.0.0",
    "builtin-baseline": "09adfdc8cdad76345b7cc7f3305899e1cbd66297",
    "dependencies": [
        "curl"
    ]
}

See the vcpkg versioning documentation for details on how baselines work.

Manifest Mode Option 2: Upgrade OpenSSL using an override

If you need fine-grained control over the versions of your libraries, you can

set the version of OpenSSL to stay at exactly 3.0.7 using the overrides field. The limitations of this approach are that you won’t get the automatic version conflict resolution (as you would with baselines) and must manually track the package version. In addition, if your project that consumes OpenSSL will itself be packaged as a vcpkg port, your downstream consumers will not automatically get the version of OpenSSL you specify. Your downstream consumers must also update their version of OpenSSL.

Registries example with overrides

vcpkg.json:
{
    "name": "example",
    "version": "1.0.0",
    "dependencies": [
        "curl"
    ],
    "overrides": [
    {
        "name": "openssl",
        "version": "3.0.7"
    }]
}
vcpkg-configuration.json:
{
    "default-registry": {
        "kind": "git",
        "baseline": "fcfda3c78c474aec7187299b684258855259a7a6",
        "repository": "https://github.com/microsoft/vcpkg"
    }
}

Please see our versioning documentation if you need a refresher on these vcpkg features.

Questions?

We will monitor this blog post for comments in case there are any questions. Please also feel free to email us at vcpkg@microsoft.com if you need additional guidance.

Augustin Popa Senior Product Manager, Microsoft C++ Team

Follow