-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 1.1.1y out of date in ARM distributions #8789
Comments
We found the same here, tested on 2.17.12 on ARM.
Systems are all Linux aarch64 |
Thanks for reporting this. The CVE referenced is low severity and the CLI should not be impacted. However the team is aware of this issue and is planning to update the OpenSSL version in the near future. |
I noticed the AMD/x86_64 CLI doesn't have these files available so they don't get picked up by the scanners. Is the ARM/aarch64 CLI build different that it still needs to have these files left over or can they be removed? |
@tim-finnigan The CVE is a 9.1 Critical score on CVSS v3 which changes our SLOs for fixing these kinds of reported vulnerabilities. Based on by above comment, can the ARM distributions be made the same as the AMD versions where it's not bundled and available under |
Per OpenSSL (see: https://www.openssl.org/news/vulnerabilities-3.1.html#y2024) regarding the CVE:
Regarding the distributions: the x86_64 installer is statically linked and contains the same code as the arm64 installer, but the code is not packaged in a separate .so file. The arm64 installer is dynamically linked and uses system libraries, but also includes libcrypto.so in case it's missing. If one is flagged and the other isn't then the issue may be with the auditing tool, not the installers, since both have the same threat model. |
Thanks @tim-finnigan I'll see about getting the CVE reassessed on our end to also move it to low. If we're using an OS (Ubuntu) which does comes with the libraries dynamically linked to system libraries, can the files be removed from The scanner/auditing tool in this case is simply looking for a file called Checking the linked binaries for AWS on arm64, we get
I can't see SSL/crypto mentioned there to use a system library. |
Checking
When running |
Are there any plans for the ARM releases to also be statically linked, so they don't require the extra libraries |
There are not currently plans for the ARM releases to also be statically linked, but this is something the team will need to investigate further prior to considering. |
Closing this issue as 1.1.1za is now bundled for Linux installers since version 2.17.56 per the CHANGELOG. As previously mentioned, there are not currently plans for the ARM releases to also be statically linked. |
This issue is now closed. Comments on closed issues are hard for our team to see. |
Describe the issue
Similar to #8485
Tenable is reporting on ARM instances with AWS CLI installed, that the following files out out of date and should be updated to the latest
1.1.1za
OpenSSL releaseAWS CLI was recently updated to use the
1.1.1y
but that is also now considered out of date with the newza
release.Additional Information/Context
Tested on latest
2.17.10
Reported in https://www.tenable.com/plugins/nessus/201084
CLI version used
2.17.10
Environment details (OS name and version, etc.)
Linux aarch64
The text was updated successfully, but these errors were encountered: