Skip to main content

Lacework Linux Agent and OpenSSL Vulnerability Guidance

Overview

On November 1, 2022, OpenSSL released OpenSSL 3.0.7 to address two serious vulnerabilities affecting OpenSSL 3.0.0 - 3.0.6. See Critical OpenSSL Vulnerability for information on how to find the vulnerabilities using the Lacework platform.

  • The Lacework Linux agent Docker image includes OpenSSL. Hence, you must upgrade to the Docker image in the Lacework Linux agent 6.1.2 (that includes OpenSSL 3.0.2-0ubuntu1.7) or later release to address the vulnerabilities. For instructions, see Upgrade the Lacework Linux Agent Docker Image.
  • The Lacework Linux agent binary does not include OpenSSL. If you are not running the Lacework Linux agent docker image, ensure that your host operating system has OpenSSL 3.0.7 installed to address the vulnerabilities.

Upgrade the Lacework Linux Agent Docker Image

Upgrade the Docker Image on Kubernetes

  • If you deployed the agent as a DeamonSet, do the following:

    1. Delete the agent with the following command:

      kubectl delete -f <laceworkDaemonsetYaml>.yaml

    2. Ensure that imagePullPolicy: Always is set in the agent DaemonSet configuration.

    3. Deploy the agent with the following command:

      kubectl apply -f <laceworkDaemonsetYaml>.yaml

  • If you deployed the agent with a Helm chart, run the following commands:

    Update Lacework Helm repository
    helm repo update lacework
    Upgrade the Lacework agent
    helm upgrade --install --namespace lacework \
           --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
           --set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
           --set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
           lacework-agent lacework/lacework-agent

Upgrade Docker Image on AWS ECS Daemon Service

Do the following to deploy the latest Docker image to Amazon ECS for your ECS service:

  1. If you are hosting the Lacework Linux agent Docker image on AWS ECR, upload the latest version of the image to AWS ECR.

  2. If the task definition uses lacework/datacollector:latest, run the command in step 3 to update the agent daemon service in your ECS cluster. If the task definition points to a specific agent release, create a new version of the task definition with the latest agent image.

  3. Run the following command for every ECS service:

    aws ecs update-service -–service <serviceName> --cluster <clusterName> --force-new-deployment