OpenSSL 1.0.2k vulnerabilities

[Tangent_78]

Hello,

I am a vulnerability manager for a system that uses CentOS 7. OpenSSL is being flagged by Nesus/Tenable for plugin 173268 OpenSSL 1.0.2 < 1.0.2zh Multiple Vulnerabilities due to this file: Path : /usr/lib64/libcrypto.so.1.0.2k
My administrator states that this is the latest version available for CentOS 7 and my research has shown that as well. The odd thing is that all of our Linux based servers (RHEL 7, Oracle Linux 7 and CentOS 7) are using this version of libcrypto but only the CentOS 7 ones are flagging via Nessus. Is there a way to update this manually using the sofware from OpenSSL or any other help would be appreciated.

[TrevorH]

I looked at a CentOS 7.9 system and a RHEL 7.9 system and both have identical copies of openssl installed: openssl-1.0.2k-26.el7_9.x86_64

Also rpm -q --changelog openssl shows identical output on both systems.

Are you sure your CentOS system is up to date and has openssl-1.0.2k-26.el7_9.x86_64 installed?

[Tangent_78]

Thanks for the reply! openssl-1.0.2k-26.el7_9|1 is what is installed but 1.0.2zh is what the IAVA/plugin calls for based on CVEs 2023-0464, 0465, 0466 for OpenSSL. Seems like CentOS and RHEL both do not consider it applicable I haven't found anything to prove that from them to the government folks. Again the odd thing is, only 3 of my 4 CentOS 7 servers flag for this in Nessus scans however 1.0.2k is what is installed on my other CentOS 7 server as well as my RHEL 7 and Oracle Linux 7 servers but they do not flag.

[TrevorH]

1.0.2zh is an upstream (openssl) version number. RHEL/CentOS et al do not use those version numbers. They start with a version that they select, in this case 1.0.2k, and then backport any necessary security fixes to that 1.0.2k version.

Running rpm -q --changelog openssl | grep CVE will normally show you the list of CVE's that are fixed in the RHEL/CentOS version, including fixes backported from newer than 1.0.2k versions.

You can also look at e.g. https://access.redhat.com/security/cve/CVE-2023-0464 which will tell you the official RH position on the CVE you are interested in - in this case it says "Out of support scope" because RHEL 7 is in its final support phase and they only fix vulnerabilities that are marked as Critical or Important. This one is "low". So are 465 and 466 so there will never be a fix for these CVEs on RHEL 7 or any of its clones.

The fact that you are getting different results depending on what you scan means the tool is in error as these will never be fixed in any RHEL 7-alike systems.

[Tangent_78]

Thank you Trevor. This info is very educational on the process RHEL uses to update embedded software. I think i may have found why my scanner is seeing the non-compliant version on those 3 servers. It seems to be detecting it through the Apache HTTP server header as the 4th server that is not flagging does not have the Apache HTTP server running. Either way, I think I have enough info to give to our security folks. Thanks again!