Encountering Challenges in Mitigating OpenSSL Vulnerability on Ubuntu-22

101 views Asked by At

Encountering Challenges in Mitigating openssl Vulnerability on Ubuntu Despite Upgrade Efforts. I had run the command docker run aquasec/trivy rootfs / to get vulnerabilities in Ubuntu-22, Output is as follows:

Library Vulnerability Severity Status Installed Version Fixed Version Title
libcrypto3 CVE-2023-5363 HIGH fixed 3.1.3-r0 3.1.4-r0 openssl:Incorrect cipherkey
CVE-2023-5678 3.1.4-r1 and IV length processing

openssl current version is 3.0.2.sudo apt update and upgrade commands didnot help to upgrade.

I have followed below steps to upgrade openssl to 3.1.4 version Link (for steps i followed) : "https://www.golinuxcloud.com/install-openssl-ubuntu/"

  1. Download and install
sudo wget https://www.openssl.org/source/openssl-3.1.4.tar.gz
sudo tar -xzvf openssl-3.1.4.tar.gz -C /usr/local/src/ && sudo mv /usr/local/src/openssl-  
   3\.1.4/\* /usr/local/src
  1. Switch to /usr/local/src directory
  cd /usr/local/src/
   sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlibsudo make &&
   sudo make test
   sudo make install
  1. add a file to ld.so.conf.d directory
   cd /etc/ld.so.conf.d/
   sudo nano openssl-3.1.4.conf
   Enter content:  /usr/local/ssl/lib64

  1. Create necessary links and cache for newly added libraries and add path
   sudo ldconfig -v
   sudo mv /usr/bin/c_rehash /usr/bin/c_rehash.backup
   sudo mv /usr/bin/openssl /usr/bin/openssl.backup
   export PATH="/usr/local/ssl/bin:$PATH"
   source \~/.bashrc

  1. View the openssl version
   $openssl version
   OpenSSL 3.1.4 15 Mar 2022 (Library: OpenSSL 3.1.4 15 Mar 2022)

  1. View dpkg -l output
   $dpkg -l|grep openssl
   ii  openssl       3.0.2-0ubuntu1.12         amd64        Secure Sockets Layer toolkit

In above ,openssl version command output updated correctly to 3.1.4 new version. But dpkg is still reporting old version(3.0.2) WHY openssl version is not updating in dpkg output??? And i have run vulnerability command again,output is same as before:

Library Vulnerability Severity Status Installed Version Fixed Version Title
libcrypto3 CVE-2023-5363 HIGH fixed 3.1.3-r0 3.1.4-r0 openssl:Incorrect cipherkey
CVE-2023-5678 3.1.4-r1 and IV length processing

Can anyone help me to fix above issue????

0

There are 0 answers