AIX Open Source

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

Actually we have done both.

Thanks

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

Actually we have done both.

Thanks

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

Hi Reshma

My understand was that openssl was complied into mod_ssl.

This is what my system reports.

# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l  24 Aug 2021

# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc

Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

The remote web server type is :

Apache/2.4.56 (Unix) OpenSSL/1.1.1t

I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

Vinny

------------------------------
Vincenzo Giambalvo

Original Message:
Sent: Wed September 20, 2023 03:31 AM
From: RESHMA KUMAR
Subject: httpd 2.4.57

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

------------------------------
RESHMA KUMAR

Original Message:
Sent: Tue September 19, 2023 11:35 AM
From: Scott Gruber
Subject: httpd 2.4.57

Actually we have done both.

Thanks

------------------------------
Scott Gruber

Original Message:
Sent: Tue September 19, 2023 11:22 AM
From: C- -T
Subject: httpd 2.4.57

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

------------------------------
I regret starting this entire conversation

Original Message:
Sent: Tue September 19, 2023 10:52 AM
From: Scott Gruber
Subject: httpd 2.4.57

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

------------------------------
Scott Gruber

Original Message:
Sent: Fri September 15, 2023 09:12 AM
From: Scott Gruber
Subject: httpd 2.4.57

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

------------------------------
Scott Gruber
------------------------------

you are expecting httpd is built against openssl V3 which is not the case. 

its all written in the httpd spec file

* Fri Oct 21 2022 Ayappan P <ayappap2@in.ibm.com> - 2.4.54-3- Build with openssl 1.1.2 ( strong ciphers only )

------------------------------
I regret starting this entire conversation

Original Message:
Sent: Wed September 20, 2023 01:59 PM
From: Vincenzo Giambalvo
Subject: httpd 2.4.57

Hi Reshma

My understand was that openssl was complied into mod_ssl.

This is what my system reports.

# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l  24 Aug 2021

# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc

Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

The remote web server type is :

Apache/2.4.56 (Unix) OpenSSL/1.1.1t

I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

Vinny

------------------------------
Vincenzo Giambalvo

Original Message:
Sent: Wed September 20, 2023 03:31 AM
From: RESHMA KUMAR
Subject: httpd 2.4.57

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

------------------------------
RESHMA KUMAR

Original Message:
Sent: Tue September 19, 2023 11:35 AM
From: Scott Gruber
Subject: httpd 2.4.57

Actually we have done both.

Thanks

------------------------------
Scott Gruber

Original Message:
Sent: Tue September 19, 2023 11:22 AM
From: C- -T
Subject: httpd 2.4.57

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

------------------------------
I regret starting this entire conversation

Original Message:
Sent: Tue September 19, 2023 10:52 AM
From: Scott Gruber
Subject: httpd 2.4.57

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

------------------------------
Scott Gruber

Original Message:
Sent: Fri September 15, 2023 09:12 AM
From: Scott Gruber
Subject: httpd 2.4.57

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

------------------------------
Scott Gruber
------------------------------

I'm trying to understand where the openssl vulnerabilities are coming from so I can update the packages.  It looks like other people have the same question.

Vinny

you are expecting httpd is built against openssl V3 which is not the case. 

its all written in the httpd spec file

* Fri Oct 21 2022 Ayappan P <ayappap2@in.ibm.com> - 2.4.54-3- Build with openssl 1.1.2 ( strong ciphers only )

------------------------------
I regret starting this entire conversation

Original Message:
Sent: Wed September 20, 2023 01:59 PM
From: Vincenzo Giambalvo
Subject: httpd 2.4.57

Hi Reshma

My understand was that openssl was complied into mod_ssl.

This is what my system reports.

# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l  24 Aug 2021

# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc

Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

The remote web server type is :

Apache/2.4.56 (Unix) OpenSSL/1.1.1t

I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

Vinny

------------------------------
Vincenzo Giambalvo

Original Message:
Sent: Wed September 20, 2023 03:31 AM
From: RESHMA KUMAR
Subject: httpd 2.4.57

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

------------------------------
RESHMA KUMAR

Original Message:
Sent: Tue September 19, 2023 11:35 AM
From: Scott Gruber
Subject: httpd 2.4.57

Actually we have done both.

Thanks

------------------------------
Scott Gruber

Original Message:
Sent: Tue September 19, 2023 11:22 AM
From: C- -T
Subject: httpd 2.4.57

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

------------------------------
I regret starting this entire conversation

Original Message:
Sent: Tue September 19, 2023 10:52 AM
From: Scott Gruber
Subject: httpd 2.4.57

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

------------------------------
Scott Gruber

Original Message:
Sent: Fri September 15, 2023 09:12 AM
From: Scott Gruber
Subject: httpd 2.4.57

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

------------------------------
Scott Gruber
------------------------------

Hi Reshma

My understand was that openssl was complied into mod_ssl.

This is what my system reports.

# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l  24 Aug 2021

# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc

Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

The remote web server type is :

Apache/2.4.56 (Unix) OpenSSL/1.1.1t

I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

Vinny

------------------------------
Vincenzo Giambalvo

Original Message:
Sent: Wed September 20, 2023 03:31 AM
From: RESHMA KUMAR
Subject: httpd 2.4.57

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

------------------------------
RESHMA KUMAR

Original Message:
Sent: Tue September 19, 2023 11:35 AM
From: Scott Gruber
Subject: httpd 2.4.57

Actually we have done both.

Thanks

------------------------------
Scott Gruber

Original Message:
Sent: Tue September 19, 2023 11:22 AM
From: C- -T
Subject: httpd 2.4.57

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

------------------------------
I regret starting this entire conversation

Original Message:
Sent: Tue September 19, 2023 10:52 AM
From: Scott Gruber
Subject: httpd 2.4.57

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

------------------------------
Scott Gruber

Original Message:
Sent: Fri September 15, 2023 09:12 AM
From: Scott Gruber
Subject: httpd 2.4.57

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

------------------------------
Scott Gruber
------------------------------

Hi Reshma

My understand was that openssl was complied into mod_ssl.

This is what my system reports.

# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l  24 Aug 2021

# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc

Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

The remote web server type is :

Apache/2.4.56 (Unix) OpenSSL/1.1.1t

I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

Vinny

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

Actually we have done both.

Thanks

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

openssl 1.1.1w has only one CVE fix ie., that is also for windows platform. So there is no plan from IBM to update openssl to 1.1.1w in AIX any time soon. 1.1.1v is already available in AIX web download pack programs. So installing openssl 1.1.1v will fix the problem. Tenable needs to be tuned to ignore the 1.1.1w advisory for AIX. 

Hi Reshma

My understand was that openssl was complied into mod_ssl.

This is what my system reports.

# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l  24 Aug 2021

# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc

Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

The remote web server type is :

Apache/2.4.56 (Unix) OpenSSL/1.1.1t

I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

Vinny

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

Actually we have done both.

Thanks

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

Interesting, so, the number of vulnerabilities determines IBM's interest to resolve ??? Being that OpenSSL is designed for security, even a single vulnerability is unacceptable. Please update to OpenSSL 1.1.1w.

Thanks

openssl 1.1.1w has only one CVE fix ie., that is also for windows platform. So there is no plan from IBM to update openssl to 1.1.1w in AIX any time soon. 1.1.1v is already available in AIX web download pack programs. So installing openssl 1.1.1v will fix the problem. Tenable needs to be tuned to ignore the 1.1.1w advisory for AIX. 

Hi Reshma

My understand was that openssl was complied into mod_ssl.

This is what my system reports.

# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l  24 Aug 2021

# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc

Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

The remote web server type is :

Apache/2.4.56 (Unix) OpenSSL/1.1.1t

I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

Vinny

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

Actually we have done both.

Thanks

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks

To make it more clear, openssl 1.1.1v is affected by only one CVE so far. That CVE affects only windows (Microsoft Windows) platform. So if you have openssl 1.1.1v installed in AIX or linux or any UNIX platform, then so far there is no known security vulnerabilities affecting this openssl 1.1.1v version. 

Interesting, so, the number of vulnerabilities determines IBM's interest to resolve ??? Being that OpenSSL is designed for security, even a single vulnerability is unacceptable. Please update to OpenSSL 1.1.1w.

Thanks

openssl 1.1.1w has only one CVE fix ie., that is also for windows platform. So there is no plan from IBM to update openssl to 1.1.1w in AIX any time soon. 1.1.1v is already available in AIX web download pack programs. So installing openssl 1.1.1v will fix the problem. Tenable needs to be tuned to ignore the 1.1.1w advisory for AIX. 

Hi Reshma

My understand was that openssl was complied into mod_ssl.

This is what my system reports.

# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l  24 Aug 2021

# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc

Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

The remote web server type is :

Apache/2.4.56 (Unix) OpenSSL/1.1.1t

I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

Vinny

Hi Scott,

mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl. 

Actually we have done both.

Thanks

when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?

So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.

Thanks

Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

Thanks