Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rebase Latest Exchange Container Images To Include OpenSSL v3.0.7 Update #650

Closed
naphelps opened this issue Nov 1, 2022 · 12 comments
Closed
Assignees
Labels

Comments

@naphelps
Copy link
Member

naphelps commented Nov 1, 2022

OpenSSL v3.x has a critical high security vulnerability that needs to patched. This version of OpenSSL is included in Red Hat's UBI 9. The patch to fix this vulnerability is to be released November 1, 2022. Once this patch is released to the UBI 9 repository, the Open Horizon team is to rebuild and release new Exchange container images to include the fix for this vulnerability.

@naphelps naphelps added the p1 label Nov 1, 2022
@johnwalicki johnwalicki self-assigned this Nov 1, 2022
@johnwalicki
Copy link
Member

Follow the availability of the ubi9/ubi9-minimal container at
https://catalog.redhat.com/software/containers/search

@naphelps
Copy link
Member Author

naphelps commented Nov 1, 2022

@johnwalicki OpenSSL is not included in the base minimal image by default it must be installed from the UBI repository as an added layer.

https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/o/

Cmd("RUN", "mkdir -p /run/user/$UID && microdnf update -y --nodocs && microdnf install -y --nodocs shadow-utils gettext java-17-openjdk openssl && microdnf clean all"),

@johnwalicki
Copy link
Member

Right..., my OH code searches found that build.sbt yesterday. The microdnf install adds the openssl package to the exchange container. We'll just need to re-run the build pipeline

https://github.com/open-horizon/exchange-api/blob/master/build.sbt

@johnwalicki
Copy link
Member

In the abundance of clarity, we should bump the exchange build number (which I think is an artifact of the build process?) so that we can tell users the minimum release ver to upgrade to.

@naphelps
Copy link
Member Author

naphelps commented Nov 1, 2022

That has already been done, pulling v2.87.4 from the latest released branch or anything v2.102.0+ from the master branch will cover you.

#617
#648

@johnwalicki johnwalicki changed the title Rebase Latest Exchange Container Images To Include OpenSLL v3.0.7 Update Rebase Latest Exchange Container Images To Include OpenSSL v3.0.7 Update Nov 1, 2022
@naphelps
Copy link
Member Author

naphelps commented Nov 2, 2022

Posted CVEs have been downgraded from critical to high.

https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3786

@johnwalicki
Copy link
Member

@bencourliss Here is the RHEL 9 errata for OpenSSL 3.0.7
An update for openssl is now available for Red Hat Enterprise Linux 9.
https://access.redhat.com/errata/RHSA-2022:7288

@johnwalicki
Copy link
Member

Can you kick off a build to generate a refreshed Exchange container with this updated OpenSSL 3.0.7 errata?

@naphelps
Copy link
Member Author

naphelps commented Nov 2, 2022

The updated packages have not hit the repository yet. The UBI repositories typically lag behind the RHEL ones.

@bencourliss
Copy link
Member

I have confirmed with RedHat that the openssl-3.0.1-43.el9_0.x86_64.rpm contains the backported fixes for CVE-2022-3602 and CVE-2022-3786. These have been included in the latest build of ExchangeAPI (version 2.106.0+) and will be published to Dockerhub as soon as a passing e2edev test completes from the Anax side.

@naphelps
Copy link
Member Author

naphelps commented Nov 8, 2022

Issue resolved, closing.

@naphelps naphelps closed this as completed Nov 8, 2022
@johnwalicki
Copy link
Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants