CVE-2024-5535 OpenSSL 1.0.2

General
1

Hi Team,

We are using confd 6.2.1 which uses libcrypto.so.1.0.2k for its startup. And it is detected as vulnerability and suggesting to go with 1.0.2zk which has fix. Please suggest how to go about this?

2

Hi, there are several good references to how to use a different version of OpenSSL on this site (e.g. Using a different version of OpenSSL ) and the User Guide has a section that has instructions as well.
Regards,

Scott

3

Hi @sbarvick ,

Can you please let me know which version of open ssl needs to use for confd 6.2.1 libcrypto.so for startup link

4

Hi, that is further back than we go. We know that 7.1 can run with 1.0.0t but you probably should try to go later and see if you can run with 1.1.1 to be as recent as possible.

I hope that helps,

Scott

5

Hi @sbarvick and Team,

We have upgraded confd to 7.3 version

Below we have soft link for libcrypto.so.1.0.2k still. If remove the softlink and try to bringup confd it still fails

./confd -c /opt/confd/etc/confd/confd.conf

Bad configuration: /opt/confd/etc/confd/confd.conf:0: cannot dynamically link with libcrypto shared library

Daemon died status=21

ls -lrt /usr/lib64/libcrypto*
lrwxrwxrwx. 1 root root 19 Sep 17 2024 /usr/lib64/libcrypto.so.1.1 → libcrypto.so.1.1.1k
-rwxr-xr-x. 1 root root 3087832 Sep 17 2024 /usr/lib64/libcrypto.so.1.1.1k
-rw-r–r–. 1 root root 2520744 Jan 7 08:26 /usr/lib64/libcrypto.so.1.0.2k
lrwxrwxrwx. 1 root root 30 Jan 7 08:26 /usr/lib64/libcrypto.so.1.0.0 → /usr/lib64/libcrypto.so.1.0.2k
lrwxrwxrwx. 1 root root 30 Jan 7 08:26 /usr/lib64/libcrypto.so.10 → /usr/lib64/libcrypto.so.1.0.2k

Please suggest how to overcome with this?

6

I see that you have changed your links but I don’t see that you have done the other necessary steps that are nicely documented in the User Guide, section 32.14. Using a different version of OpenSSL

In particular there are some key build requirements:

To use a different OpenSSL version than the one the DMAP release is built with, it is sufficient to use the provided sources to rebuild these two components with the desired OpenSSL version, and replace them in the DMAP release. The toplevel README file included in the tar archive has instructions on how to do the build of both libconfd and crypto.so.

Once you rebuild, it is also important to do the install commands in as documented in the libconfd directory and Makefile, ‘install_crypto’ in particular to move crypto.so into the right place.