Openssl issue CVE-2024-4741,CVE-2024-4603 and CVE-2024-2511 with Ncpa fo windows 3.1.0
BlYuzucorp opened this issue · 20 comments
Hi,
You use risk openssl lib : c:\program files\nagios\ncpa\lib\libcrypto-3.dll and c:\program files\nagios\ncpa\lib\libssl-3.dll.
You use 3.0.13 and need to be upgraded to 3.0.14.
Thks
This wouldn't be isolated to Windows, since NCPA does a private bind of the a few libraries and doesn't use the ones in the general linux distribution the agent is installed on.
It should be a priority if there are unresolved CVEs in the current NCPA version.
This wouldn't be isolated to Windows, since NCPA does a private bind of the a few libraries and doesn't use the ones in the general linux distribution the agent is installed on.
It should be a priority if there are unresolved CVEs in the current NCPA version.
Not sure we are talking about he same thing. i speak about windows edition not linux edition of the package. SO the 3.0.14 library you bind had an issue with security.
Yes, we are. I'm saying the security issue you mention wouldn't be isolated to the Windows NCPA version.
" ..It should be a priority if there are unresolved CVEs in the current NCPA version. .."
i's a quite hard to understand. CVE described an issue with the current version and recommand to upgrade to new one. So why is not a priority ?
FYI, there's also plenty of CVEs to the OpenSSL packaged with it (as far as I understand it comes with python) and the packaged version of OpenSSL is EOS according to MS Defender
Is there any update on a updated package for resolving all the current CVE issues?
yes 3.0.14 : https://www.openssl.org/news/vulnerabilities.html
and 3.0.15 for new CVE-2024-5535
@BlYuzucorp My statement wasn't directed to you but the NCPA package maintainers in regards to getting an updated NCPA package.
@MrPippin66
I am investigating build options and will get back to you soon.
Thanks for the update. I'm holding off doing our 3.1 rollout pending this being resolved.
Since the addition of OpenSSL 3 in Python, our Windows version of NCPA uses the OpenSSL version bundled into the Python release. As of this moment, Python 3.13 is in beta and the latest 3.12 (3.12.4) is built with OpenSSL 3.0.13 (the version currently in NCPA 3.1.0), so the Windows build is blocked on that front until Python updates the version that they're using. There was a version of the windows build that I had made that downloaded and built Python from source with a custom version of OpenSSL, but I would have to dig that up and update it to work with the current version of NCPA.
On the Linux front, we could update to use OpenSSL 3.0.14, but 3.0.15 isn't available from the OpenSSL website and I haven't looked into getting OpenSSL 3.3 working with NCPA. I am out for the next week, but I can look a little closer when I get back.
Openssl 3.0.14 does include the fixes involved in the main part of this issue.
Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
Fixed potential use after free after SSL_free_buffers() is called ([[CVE-2024-4741](https://openssl-library.org/news/openssl-3.0-notes/vulnerabilities.html#CVE-2024-4741)]) Fixed an issue where checking excessively long DSA keys or parameters may be very slow ([[CVE-2024-4603](https://openssl-library.org/news/openssl-3.0-notes/vulnerabilities.html#CVE-2024-4603)]) Fixed unbounded memory growth with session handling in TLSv1.3 ([[CVE-2024-2511](https://openssl-library.org/news/openssl-3.0-notes/vulnerabilities.html#CVE-2024-2511)])
So those can be resolved in the Linux side. Clearly doesn't address the Windows side of these CVEs.
And it's still desirable to address the python ssl module issue, if possible. CVE-2024-0397. (if not already addressed)
Is any progress being made on this?
Is any progress being made on this?
Yes. Sorry for the wait, I've been out of town. We will be moving into QA shortly on NCPA 3.1.1, which will update the Linux version to use OpenSSL 3.0.15 and the Windows build's Python version to 3.12.5.
Unfortunately, this version of Python still uses OpenSSL 3.0.13 and as much as I would like to finish out the Windows custom OpenSSL build script, I do not have time to dig up and finish it in the foreseeable future, so the Windows version is stuck with whatever is packaged with the most recent Python release.
Thanks for the update
Is any progress being made on this?
Yes. Sorry for the wait, I've been out of town. We will be moving into QA shortly on NCPA 3.1.1, which will update the Linux version to use OpenSSL 3.0.15 and the Windows build's Python version to 3.12.5. Unfortunately, this version of Python still uses OpenSSL 3.0.13 and as much as I would like to finish out the Windows custom OpenSSL build script, I do not have time to dig up and finish it in the foreseeable future, so the Windows version is stuck with whatever is packaged with the most recent Python release.
Sorry to push, but is there any ETA on a possible linux release to address the OpenSSL issues?
Is any progress being made on this?
Yes. Sorry for the wait, I've been out of town. We will be moving into QA shortly on NCPA 3.1.1, which will update the Linux version to use OpenSSL 3.0.15 and the Windows build's Python version to 3.12.5. Unfortunately, this version of Python still uses OpenSSL 3.0.13 and as much as I would like to finish out the Windows custom OpenSSL build script, I do not have time to dig up and finish it in the foreseeable future, so the Windows version is stuck with whatever is packaged with the most recent Python release.
Sorry to push, but is there any ETA on a possible linux release to address the OpenSSL issues?
We should be releasing NCPA 3.1.1 early next week.
That's a good news. Just for info, Python released version 3.12.6 for openssl issue.
Release note :
...
Windows
Updated Windows build to use OpenSSL 3.0.15.
...