Our vulnerability scanner has detected that Core18/Core20 are running outdated binary packages of OpenSSL (1.1.1f) even though we’re already running with the latest update of the Stable & even Edge channel.
I just find it weird that snap would be using outdated version of OpenSSL binaries (1.1.1f ) which is more than 3 years old already and known to be vulnerable.
To add here is a screenshot of my snap info showing it’s even using the updated edge channel but is still flagged as running outdated OpenSSL 1.1.1f binary packages.
It’s common for security scanning software to not quite understand how software packaging in Ubuntu works.
Chances are very high that whatever security issues were identified in OpenSSL 1.1.1f and fixed in OpenSSL 1.1.1g are likely backported to the package. So in Ubuntu the OpenSSL major version may well say 1.1.1f, but will have a suffix which indicates that it’s been updated. The changelog will also specify what’s been included.
Thank you for your explanation @popey. That’s my understanding as well and that our vulnerability scanner is not catching the complete version of the OpenSSL Binary Packages and leaving out the suffixes.
Does snap core20 make use of the same OpenSSL binary packages as the one in Ubuntu?
If you can link me to an article or documentation so that I can use it to back up my claim to our vulnerability scanning vendor.
Looking at the changelog, that looks like the latest version in the Ubuntu 20.04 (focal) repo.
openssl (1.1.1f-1ubuntu2.20) focal-security; urgency=medium
* SECURITY UPDATE: denial of service
- debian/patches/CVE-2023-3446.patch: adds check to prevent the testing of
an excessively large modulus in DH_check().
- CVE-2023-3446
* SECURITY UPDATE: denial of service
- debian/patches/CVE-2023-3817.patch: adds check to prevent the testing of
invalid q values in DH_check().
- CVE-2023-3817
-- Ian Constantin <ian.constantin@canonical.com> Tue, 10 Oct 2023 12:03:48 +0300
So, in my opinion, from my understanding (not a Canonical employee), that’s what is inside the snap.
Cyber security guy here. If you’re using Nessus to perform the scan, or even Rapid7, they both have some issues with vendor packaging and will often give an “opinionated” response/report. @popey and @zyga are correct.
If it were me, I’d report this as a false positive and make a note for future reference.
You can also use the review-tools snap to check the manifests on individual snaps. I can’t remember the exact command that’s needed and unfortunately I’m not at a computer at the moment to check, but it’s the same tool that gets run daily on the store side to alert people to bundled libraries that have updates.
Effectively, it looks at the snap manifest itself and compares the packages against known CVEs that have been fixed. This requires the snap has a manifest which not all do, but it’s still fairly common to have them and anything produced by Canonical should always have them since anything produced by Canonical is usually built on Launchpad which defaults to producing the manifest.