SnapCraft Core18/20 Vulnerability

Our vulnerability scanner has detected that Core18/Core20 are running outdated binary packages of OpenSSL (1.1.1f) even though we’re already running with the latest update of the Stable & even Edge channel.

I just find it weird that snap would be using outdated version of OpenSSL binaries (1.1.1f ) which is more than 3 years old already and known to be vulnerable.

Can anyone shed light on it?

1 Like

To add here is a screenshot of my snap info showing it’s even using the updated edge channel but is still flagged as running outdated OpenSSL 1.1.1f binary packages.

1 Like

It’s common for security scanning software to not quite understand how software packaging in Ubuntu works.

Chances are very high that whatever security issues were identified in OpenSSL 1.1.1f and fixed in OpenSSL 1.1.1g are likely backported to the package. So in Ubuntu the OpenSSL major version may well say 1.1.1f, but will have a suffix which indicates that it’s been updated. The changelog will also specify what’s been included.

An example CVE which has been resolved in 20.04 :

1 Like

Thank you for your explanation @popey. That’s my understanding as well and that our vulnerability scanner is not catching the complete version of the OpenSSL Binary Packages and leaving out the suffixes.

Does snap core20 make use of the same OpenSSL binary packages as the one in Ubuntu? If you can link me to an article or documentation so that I can use it to back up my claim to our vulnerability scanning vendor.

You can see from the manifest.yaml precisely what was used to compose the snap you downloaded.

So in this example (which I just ran on my arm64 laptop) I see the 1.1.1f-1ubuntu2.20 version of the libssl1.1 package.

$ snap download core
$ unsquashfs core20_*.snap snap/manifest.yaml
$ grep libssl squashfs-root/snap/manifest.yaml 
    - libssl1.1=1.1.1f-1ubuntu2.20
    - libssl1.1=1.1.1f-1ubuntu2.20
    - libssl1.1=1.1.1f-1ubuntu2.20

Looking at the changelog, that looks like the latest version in the Ubuntu 20.04 (focal) repo.

openssl (1.1.1f-1ubuntu2.20) focal-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-3446.patch: adds check to prevent the testing of
      an excessively large modulus in DH_check().
    - CVE-2023-3446
  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-3817.patch: adds check to prevent the testing of
      invalid q values in DH_check().
    - CVE-2023-3817

 -- Ian Constantin <>  Tue, 10 Oct 2023 12:03:48 +0300

So, in my opinion, from my understanding (not a Canonical employee), that’s what is inside the snap.

1 Like

This is accurate, a copy of the manifest is inside the snap itself:

zyga@novigrad:/snap/core20/current/snap$ grep libssl manifest.yaml 
    - libssl1.1=1.1.1f-1ubuntu2.20
    - libssl1.1=1.1.1f-1ubuntu2.20
    - libssl1.1=1.1.1f-1ubuntu2.20

As you can see it’s the 1.1.1f-1ubuntu2.20 version which matches what was referenced by Alan above.


Cyber security guy here. If you’re using Nessus to perform the scan, or even Rapid7, they both have some issues with vendor packaging and will often give an “opinionated” response/report. @popey and @zyga are correct.

If it were me, I’d report this as a false positive and make a note for future reference.

1 Like

Thank you very much @popey and @zyga. This has clarified and answered my query.

@kz6fittycent Thank you very much as well. Will take it upon our vendor for their assessment and improvement.

You can also use the review-tools snap to check the manifests on individual snaps. I can’t remember the exact command that’s needed and unfortunately I’m not at a computer at the moment to check, but it’s the same tool that gets run daily on the store side to alert people to bundled libraries that have updates.

Effectively, it looks at the snap manifest itself and compares the packages against known CVEs that have been fixed. This requires the snap has a manifest which not all do, but it’s still fairly common to have them and anything produced by Canonical should always have them since anything produced by Canonical is usually built on Launchpad which defaults to producing the manifest.

1 Like