Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL 1.1.1za out of date in ARM distributions for CVE-2024-9143 #8987

Open
alex-rowe opened this issue Oct 17, 2024 · 1 comment
Open

OpenSSL 1.1.1za out of date in ARM distributions for CVE-2024-9143 #8987

alex-rowe opened this issue Oct 17, 2024 · 1 comment
Labels
dependencies This issue is a problem in a dependency. feature-request A feature should be added or improved. p2 This is a standard priority issue source-distribution cli v2 source distritbution related issues

Comments

@alex-rowe
Copy link

Describe the issue

Similar to #8789

Tenable is reporting on ARM instances with AWS CLI installed, that the following files out out of date and should be updated to the latest 1.1.1zb OpenSSL release

  Path             : /usr/local/aws-cli/v2/2.17.65/dist/libcrypto.so.1.1
  Reported version : 1.1.1za
  Fixed version    : 1.1.1zb


  Path             : /usr/local/aws-cli/v2/2.17.65/dist/libssl.so.1.1
  Reported version : 1.1.1za
  Fixed version    : 1.1.1zb

AWS CLI was recently updated to use the 1.1.1y but that is also now considered out of date with the new za release.

Additional Information/Context

Tested on latest 2.18.9 as well

% curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64-2.18.9.zip" -o "awscliv2.zip"
% unzip awscliv2.zip
% strings aws/dist/libcrypto.so.1.1 | grep "^OpenSSL 1.1.1" 
OpenSSL 1.1.1za  3 Sep 2024
% strings aws/dist/libssl.so.1.1 | grep "^OpenSSL 1.1.1" 
OpenSSL 1.1.1za  3 Sep 2024

Reported in https://www.tenable.com/plugins/nessus/209149

Previously in #8789 we asked about statically linking in the ARM installer, the same as the AMD installer, so that these vulnerabilities stop being reported by Tenable/Nessus scanners.

CLI version used

2.18.9

Environment details (OS name and version, etc.)

Linux aarch64
@alex-rowe alex-rowe added needs-triage This issue or PR still needs to be triaged. source-distribution cli v2 source distritbution related issues labels Oct 17, 2024
@tim-finnigan tim-finnigan self-assigned this Oct 18, 2024
@tim-finnigan tim-finnigan added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Oct 18, 2024
@tim-finnigan
Copy link
Contributor

Thanks for reaching out. Per OpenSSL, CVE-2024-9143 is low severity. 1.1.zb is not currently available for the AWS CLI to use, but the team can look into upgrading once it is available. As mentioned in the previous issue there are not currently plans for the ARM releases to also be statically linked.

@tim-finnigan tim-finnigan added p2 This is a standard priority issue feature-request A feature should be added or improved. dependencies This issue is a problem in a dependency. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2024
@tim-finnigan tim-finnigan removed their assignment Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies This issue is a problem in a dependency. feature-request A feature should be added or improved. p2 This is a standard priority issue source-distribution cli v2 source distritbution related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alex-rowe @tim-finnigan