What will be the impact after removal of OpenSSL c_rehash script from td-agent #4456
Unanswered
jmeher2020
asked this question in
Q&A
Replies: 1 comment
-
Removing the c_rehash may solve one your concern (fluentd doesn't execute c_rehash), but it can't solve other implicit/explicit vulnerabilities. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.
https://mta.openssl.org/pipermail/openssl-announce/2022-November/000243.html
On GNU/Linux, td-agent uses system's OpenSSL.
OpenSSL package of RHEL 9 and Ubuntu 22.04 are v3, so they are affected.
Please upgrade your OpenSSL pacakge if you use td-agent on such systems.
OpenSSL package of RHEL 7, RHEL 8, Amazon Linux 2, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS, Debian buster, Debian bullseye are v1.1.1,
so that they aren't vulnerable to this issue.
On Windows and macOS, we bundle OpenSSL 1.1.1 which isn't vulnerable to this issue.
Originally posted by @ashie in #3940 (comment)
In one of our application we are using fluentd/td-agent-3.7.1 and we do not want to upgrade it. We found the vulnerability CVE-2022-2068 as referenced.
Reference Issue: #3940
CVE Link: https://nvd.nist.gov/vuln/detail/cve-2022-2068
In our case, td-agent is using its own OpenSSL instead of OS OpenSSL. We understand that the vulnerability is due to OpenSSL c_rehash script. Therefore, removing the c_rehash may solve this issue because doing so would eliminate the interface or attack vector to exploit the vulnerability.
My Question: What will be the impact or what possible scenario will fail, If I remove the OpenSSL c_rehash script from td-agent packaging?
Beta Was this translation helpful? Give feedback.
All reactions