Upgrade OpenSSL package for neo4j-Enterprise.4.3.2

Question

Upgrade OpenSSL package for neo4j-Enterprise.4.3.2

ebrucucen opened this issue 3 years ago · 1 comments

We need an upgrade on the openssl package in the Debian base OS being packaged for the enterprise 4.3.2 container to cover the Buffer Overflow vulnerability to pass our internal vulnerability assessment.

The fix would be:

Upgrade Debian:11 openssl to version 1.1.1k-1+deb11u1 or higher.

https://snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-1569408

https://security-tracker.debian.org/tracker/CVE-2021-3711

Answer 1 · 2021-09-06T10:21:58.000Z

Since Neo4j is an official image, docker automatically rebuilds images for us whenever a base image has a security fix.

I verified that openssl is already on version 1.1.1k-1+deb11u1 in neo4j:4.3.2-enterprise by doing:

docker run -it --rm -e NEO4J_ACCEPT_LICENSE_AGREEMENT=yes neo4j:4.3.2-enterprise /bin/bash
$ apt list --installed | grep openssl

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

openssl/now 1.1.1k-1+deb11u1 amd64 [installed,local]

If that doesn't show 1.1.1k-1+deb11u1 for you, then you should clear the docker cache and re-download the neo4j image.