openssl-fips-provider

[jdonovan-itcnp]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

24

Storage for /

100

Storage for /nsm

215

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Our vulnerability scanners are reporting that there is a vulnerability present in the installed version of "openssl-fips-provider" in our SecurityOnion servers. We have reviewed, and the reported version numbers appear to be correct. The updated version does not appear to be available in the update repository.

The Oracle reference number for the vulnerability is ELSA-2024-9333.

Installed version: openssl-fips-provider-3.0.7-2.0.1.el9
Updated versrion: openssl-fips-provider-3.0.7-6.0.1.el9_5
 
Is this patch being held for a specific reason? Is it anticipated that the patch will be come available in the near future?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[TOoSmOotH]

I see that the updated openssl that also had a CVE was pulled down on Dec. 1st. We were not explicitly pulling openssl-fips-provider down since its a dependency of systemd. I tried to install the version that is mentioned in the CVE manually, but systemd blocked it. It will have to wait until systemd is updated for it to actually install.

[jdonovan-itcnp]

@TOoSmOotH Acknowledged, thanks. Quick question - Which Oracle repo are you guys downstream of? It looks like the package is available from the Oracle 9 BaseOS repo/channel:

Apologies for the 20 Questions, my security team is going to ask me all of these when I put in the paperwork on this, so I want to be prepared. 😄

[TOoSmOotH]

We pull from yum.oracle.com and we don't specify that package directly. We include all the main packages and follow dependencies. The list is here: https://github.com/Security-Onion-Solutions/securityonion-repo/tree/main/oracle9

When systemd is updated the package will automatically get pulled. Those _5 files look like patches. I tried to upgrade the package and systemd complained that it is protected and requires the older version. We take security seriously but we depend on Oracle to do their thing so we can maintain the "Availability" section of the CIA triad. Seeing that this is a "LOW" vulnerability according to Oracle, our recommendation is to wait until the systemd updates are in place.

[jdonovan-itcnp]

@TOoSmOotH Okay, I think I'm understanding what you're saying now. Appreciate you sharing the additional context with me.

[wgarner-itcnp]

@TOoSmOotH Hello, could you let us know if you see change on your end?

[TOoSmOotH]

@wgarner-itcnp @jdonovan-itcnp It's really up to RedHat at this point.

# dnf repoquery --installed --whatrequires openssl-fips-provider 
openssl-libs-1:3.2.2-6.0.1.el9_5.1.x86_64

# dnf repoquery --installed --whatrequires openssl-libs
apr-util-openssl-0:1.6.1-23.el9.x86_64
bind-libs-32:9.16.23-24.0.1.el9_5.3.x86_64
coreutils-0:8.32-36.0.1.el9.x86_64
createrepo_c-libs-0:0.20.1-2.el9.x86_64
cryptsetup-libs-0:2.7.2-3.el9_5.x86_64
git-core-0:2.43.5-2.el9_5.x86_64
httpd-tools-0:2.4.62-1.0.1.el9_5.2.x86_64
ima-evm-utils-0:1.5-2.el9.x86_64
kmod-0:28-10.0.1.el9.x86_64
kmod-libs-0:28-10.0.1.el9.x86_64
krb5-libs-0:1.21.1-4.0.1.el9_5.x86_64
libarchive-0:3.5.3-4.el9.x86_64
libcurl-0:7.76.1-31.el9.x86_64
libevent-0:2.1.12-8.el9_4.x86_64
libfido2-0:1.13.0-2.el9.x86_64
librepo-0:1.14.5-2.el9.x86_64
libsolv-0:0.7.24-3.el9.x86_64
libssh-0:0.10.4-13.el9.x86_64
nmap-ncat-3:7.92-3.el9.x86_64
open-vm-tools-0:12.4.0-2.0.1.el9.x86_64
openldap-0:2.6.6-3.el9.x86_64
openssh-0:8.7p1-43.0.1.el9.x86_64
openssh-clients-0:8.7p1-43.0.1.el9.x86_64
openssh-server-0:8.7p1-43.0.1.el9.x86_64
openssl-1:3.2.2-6.0.1.el9_5.1.x86_64
pam-0:1.5.1-22.0.1.el9_5.x86_64
pcp-libs-0:6.2.2-7.el9_5.x86_64
perl-IO-Socket-SSL-0:2.073-2.el9.noarch
perl-Net-SSLeay-0:1.94-1.el9.x86_64
python3-libs-0:3.9.21-1.el9_5.x86_64
python3-m2crypto-0:0.38.0-7.el9.x86_64
rpm-build-libs-0:4.16.1.3-34.el9.x86_64
rpm-libs-0:4.16.1.3-34.el9.x86_64
rpm-plugin-selinux-0:4.16.1.3-34.el9.x86_64
rpm-plugin-systemd-inhibit-0:4.16.1.3-34.el9.x86_64
rpm-sign-libs-0:4.16.1.3-34.el9.x86_64
rsync-0:3.2.3-20.el9_5.1.x86_64
systemd-0:252-46.0.3.el9_5.2.x86_64
systemd-libs-0:252-46.0.3.el9_5.2.x86_64
systemd-pam-0:252-46.0.3.el9_5.2.x86_64
systemd-udev-0:252-46.0.3.el9_5.2.x86_64
tcpdump-14:4.99.0-9.el9.x86_64
tpm2-tss-0:3.2.3-1.el9.x86_64
wpa_supplicant-1:2.10-5.el9.x86_64
xmlsec1-openssl-0:1.2.29-13.el9.x86_64

[dougburks]

This has been resolved:

rpm -qa |grep openssl-fips
openssl-fips-provider-so-3.0.7-6.0.1.el9_5.x86_64
openssl-fips-provider-3.0.7-6.0.1.el9_5.x86_64