Lacework Linux Agent and OpenSSL Vulnerability Guidance
Overview
On November 1, 2022, OpenSSL released OpenSSL 3.0.7 to address two serious vulnerabilities affecting OpenSSL 3.0.0 - 3.0.6. See Critical OpenSSL Vulnerability for information on how to find the vulnerabilities using the Lacework platform.
- The Lacework Linux agent Docker image includes OpenSSL. Hence, you must upgrade to the Docker image in the Lacework Linux agent 6.1.2 (that includes OpenSSL 3.0.2-0ubuntu1.7) or later release to address the vulnerabilities. For instructions, see Upgrade the Lacework Linux Agent Docker Image.
- The Lacework Linux agent binary does not include OpenSSL. If you are not running the Lacework Linux agent docker image, ensure that your host operating system has OpenSSL 3.0.7 installed to address the vulnerabilities.
Upgrade the Lacework Linux Agent Docker Image
Upgrade the Docker Image on Kubernetes
If you deployed the agent as a DeamonSet, do the following:
Delete the agent with the following command:
kubectl delete -f <laceworkDaemonsetYaml>.yaml
Ensure that
imagePullPolicy: Always
is set in the agent DaemonSet configuration.Deploy the agent with the following command:
kubectl apply -f <laceworkDaemonsetYaml>.yaml
If you deployed the agent with a Helm chart, run the following commands:
Update Lacework Helm repositoryhelm repo update lacework
Upgrade the Lacework agenthelm upgrade --install --namespace lacework \
--set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
--set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
--set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
lacework-agent lacework/lacework-agent
Upgrade Docker Image on AWS ECS Daemon Service
Do the following to deploy the latest Docker image to Amazon ECS for your ECS service:
If you are hosting the Lacework Linux agent Docker image on AWS ECR, upload the latest version of the image to AWS ECR.
If the task definition uses
lacework/datacollector:latest
, run the command in step 3 to update the agent daemon service in your ECS cluster. If the task definition points to a specific agent release, create a new version of the task definition with the latest agent image.Run the following command for every ECS service:
aws ecs update-service -–service <serviceName> --cluster <clusterName> --force-new-deployment