AIX Open Source

 View Only
Expand all | Collapse all

httpd 2.4.57

  • 1.  httpd 2.4.57

    Posted Fri September 15, 2023 09:12 AM

    Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

    it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------


  • 2.  RE: httpd 2.4.57

    Posted Tue September 19, 2023 10:53 AM

    So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

    Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

    We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

    We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.


    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------



  • 3.  RE: httpd 2.4.57

    Posted Tue September 19, 2023 11:22 AM

    when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?



    ------------------------------
    I regret starting this entire conversation
    ------------------------------



  • 4.  RE: httpd 2.4.57

    Posted Tue September 19, 2023 11:35 AM

    Actually we have done both.

    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------



  • 5.  RE: httpd 2.4.57

    Posted Wed September 20, 2023 03:31 AM

    Hi Scott,

    mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
    It is not required to build mod_ssl with latest openssl. 



    ------------------------------
    RESHMA KUMAR
    ------------------------------



  • 6.  RE: httpd 2.4.57

    Posted Wed September 20, 2023 02:00 PM

    Hi Reshma

    My understand was that openssl was complied into mod_ssl.

    This is what my system reports.

    # strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
    OpenSSL 1.1.1l  24 Aug 2021

    # /usr/bin/openssl version
    OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

    # rpm -qa |grep httpd
    httpd-2.4.56-1.ppc
    # rpm -qa |grep mod_ssl
    mod_ssl-2.4.56-1.ppc


    Tenable reports
    The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
    The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
    The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

    The remote web server type is :

    Apache/2.4.56 (Unix) OpenSSL/1.1.1t

    I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

    Vinny



    ------------------------------
    Vincenzo Giambalvo
    ------------------------------



  • 7.  RE: httpd 2.4.57

    Posted Thu September 21, 2023 04:36 AM
    Edited by C- -T Thu September 21, 2023 04:36 AM

    you are expecting httpd is built against openssl V3 which is not the case. 

    its all written in the httpd spec file

    * Fri Oct 21 2022 Ayappan P <ayappap2@in.ibm.com> - 2.4.54-3
    - Build with openssl 1.1.2 ( strong ciphers only )



    ------------------------------
    I regret starting this entire conversation
    ------------------------------



  • 8.  RE: httpd 2.4.57

    Posted Thu September 21, 2023 08:50 AM

    I'm trying to understand where the openssl vulnerabilities are coming from so I can update the packages.  It looks like other people have the same question.

    Vinny



    ------------------------------
    Vincenzo Giambalvo
    ------------------------------



  • 9.  RE: httpd 2.4.57

    Posted Thu September 21, 2023 09:03 AM

    in your case, you are checking mod_ssl for ssl version strings which points to openssl 1.1.X. as the machine where are you doing this check has openssl V3 installed and the library includes the backward compatibility libs for openssl, mod_ssl loads the 1.1.X libs via runtime linking, as its build against the 1.1.X headers.

    if you need bleeding edge apache/ssl versions i would recommend switching to another platform for hosting webservers.



    ------------------------------
    I regret starting this entire conversation
    ------------------------------



  • 10.  RE: httpd 2.4.57

    Posted Fri September 22, 2023 01:04 AM
    Edited by RESHMA KUMAR Fri September 22, 2023 01:07 AM

    Hi Vinny,
    Yes, that is correct. You need to wait for the new version of Openssl to be released. If that is installed, mod_ssl will use it during runtime.
    As a point of information,  we have openssl 1.1.1v available.



    ------------------------------
    RESHMA KUMAR
    ------------------------------



  • 11.  RE: httpd 2.4.57

    Posted Fri September 22, 2023 03:13 AM

    openssl 1.1.1w has only one CVE fix ie., that is also for windows platform. So there is no plan from IBM to update openssl to 1.1.1w in AIX any time soon. 1.1.1v is already available in AIX web download pack programs. So installing openssl 1.1.1v will fix the problem. Tenable needs to be tuned to ignore the 1.1.1w advisory for AIX. 



    ------------------------------
    Ayappan P
    ------------------------------



  • 12.  RE: httpd 2.4.57

    Posted Fri September 22, 2023 09:24 AM

    Interesting, so, the number of vulnerabilities determines IBM's interest to resolve ??? Being that OpenSSL is designed for security, even a single vulnerability is unacceptable. Please update to OpenSSL 1.1.1w.

    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------



  • 13.  RE: httpd 2.4.57

    Posted Fri September 22, 2023 09:37 AM

    To make it more clear, openssl 1.1.1v is affected by only one CVE so far. That CVE affects only windows (Microsoft Windows) platform. So if you have openssl 1.1.1v installed in AIX or linux or any UNIX platform, then so far there is no known security vulnerabilities affecting this openssl 1.1.1v version. 



    ------------------------------
    Ayappan P
    ------------------------------



  • 14.  RE: httpd 2.4.57

    Posted Fri September 22, 2023 09:48 AM

    Thanks Ayappan for the clarification.



    ------------------------------
    Scott Gruber
    ------------------------------