Hi Scott,
If you are looking 1.0.2zf version of openssl for httpd then just install it on your system and httpd will use it as it is dynamically linked.
We are working on compiling httpd with openssl 1.1.1 and soon that will also be available.
Here is some info regrading openssl 1.0.2zf version
IBM has already provided openssl 1.0.2 fixed version (zf).
The current AIX openssl version 1.0.2.2104 is the fileset which contains all vulnerability fixes including 1.0.2ze.
It is available in web download pack.
It is mentioned in the fileset's readme - " OpenSSL 1.0.2.2104 addresses all vulnerabilities reported until openssl 1.0.2ze version…
Along with this IBM has recently patched a vulnerability fixed in latest community release - 1.0.2zf
The advisory for the same is : https://aix.software.ibm.com/aix/efixes/security/openssl_advisory36.asc
So the current AIX web download openssl version is 1.0.2ze but there is an ifix available to move to zf. The ifix location is mentioned in the above advisory.
By default AIX openssl does not show the patch version. So if you run "openssl version" command then it will return 1.0.2u release.
But it does not display patch version information.
To display patch version information /var/ssl/ssl_version.cnf needs to be created/modified to add following line
(If the /var/ssl/ssl_version.cnf is not present on system then create it)
DISPLAY_PATCH_VERSION = yes
Above information is also mentioned in readme of openssl fileset.
I tried on my system. After installing latest openssl 1.0.2.2104 from webdownload and adding /var/ssl/ssl_version.cnf
# openssl version
OpenSSL 1.0.2ze 3 May 2022
After applying ifix
# openssl version
OpenSSL 1.0.2zf 21 Jun 2022
As httpd or any other AIX toolbox application links to openssl dynamically hence it will use the latest installed openssl only.
This should fix your security scan problem.
Kindly let me know if you need any other information.
------------------------------
SANKET RATHI
------------------------------
Original Message:
Sent: Thu July 21, 2022 02:45 PM
From: Scott Gruber
Subject: Please update httpd > httpd-2.4.54
would renaming libssl.so.1.0.2, then copy libssl.so.1.1 out of library, rename it to libssl.so.1.0.2 and then add into the library work ?
# ar -vt /usr/lib/libssl.a
rwxr-xr-x 0/0 728674 Apr 19 10:49 2022 libssl.so
rwxr-xr-x 0/0 510766 Apr 19 10:49 2022 libssl.so.0.9.8
rwxr-xr-x 0/0 728674 Apr 19 10:49 2022 libssl.so.1.0.0
rwxr-xr-x 0/0 728674 Apr 19 10:49 2022 libssl.so.1.0.2
rwxr-xr-x 0/0 1030403 Apr 18 16:06 2022 libssl.so.1.1
------------------------------
Scott Gruber
Original Message:
Sent: Thu July 21, 2022 02:36 PM
From: Scott Gruber
Subject: Please update httpd > httpd-2.4.54
Thanks for the info.
Is there anything I can do to force the link to version 1.1.so ?
------------------------------
Scott Gruber
Original Message:
Sent: Thu July 21, 2022 10:18 AM
From: Ayappan P
Subject: Please update httpd > httpd-2.4.54
AIX Toolbox packages are dynamically linked with openssl libraries ( right now with 1.0.2.so but gradually it will be linked with 1.1.so)
So it's the runtime environment that decides which openssl library is used by the packages.
So as long as the recent openssl 1.0.2* is installed in the machine, it is fine.
------------------------------
Ayappan P
Original Message:
Sent: Wed July 20, 2022 12:33 PM
From: Scott Gruber
Subject: Please update httpd > httpd-2.4.54
Sanket,
I see the httpd-2.4.54 with it's mod_ssl. I've installed it and looks good - thanks for that. However I see the below :
Server version: Apache/2.4.54 (Unix)
Server built: Jul 5 2022 02:53:31
lib/mod_ssl-2.4.54-1.ppc 32bit : OpenSSL 1.0.2t 10 Sep 2019
lib64/mod_ssl-2.4.54-1.ppc 64bit : OpenSSL 1.0.2t 10 Sep 2019
curl : Apache reports for HTTP : Server: Apache/2.4.54 (Unix) OpenSSL/1.0.2u
curl : Apache reports for HTTPS : Server: Apache/2.4.54 (Unix) OpenSSL/1.0.2u
AIX Servers OpenSSL is : OpenSSL 1.1.1l 24 Aug 2021
How come curl reports OpenSSL 1.0.2u when the mod_ssl is 1.0.2t ?
Thanks
------------------------------
Scott Gruber
Original Message:
Sent: Wed June 15, 2022 11:01 AM
From: SANKET RATHI
Subject: Please update httpd > httpd-2.4.54
Hi Lisa,
Thank you for reporting the security vulnerabilities.
These are recent CVEs and we are tracking them. We will publish fixed version of httpd with fix of these CVEs.
------------------------------
SANKET RATHI
Original Message:
Sent: Tue June 14, 2022 03:02 PM
From: Lisa Isaly
Subject: Please update httpd > httpd-2.4.54
Please update httpd to a version greater than 2.4.53. The vulnerability management platform Tenable is reporting multiple advisories:
The version of Apache httpd installed on the remote host is prior to 2.4.54. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.54 advisory.
- mod_proxy_ajp: Possible request smugglingInconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Acknowledgements: Ricter Z @ 360 Noah Lab (CVE-2022-26377)
- read beyond bounds in mod_isapiApache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue (CVE-2022-28330)
- read beyond bounds via ap_rwrite() The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue (CVE-2022-28614)
- Read beyond bounds in ap_strcmp_match()Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue (CVE-2022-28615)
- Denial of service in mod_lua r:parsebodyIn Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue (CVE-2022-29404)
- mod_sed denial of serviceIf Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Acknowledgements: This issue was found by Brian Moussalli from the JFrog Security Research team (CVE-2022-30522)
- Information Disclosure in mod_lua with websocketsApache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue (CVE-2022-30556)
- mod_proxy X-Forwarded-For dropped by hop-by-hop mechanismApache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Acknowledgements: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue (CVE-2022-31813)
An update to httpd would be appreciated.
Thank you,
------------------------------
Lisa Isaly
------------------------------