I am seeking advice on the best approach to address the OpenSSL vulnerability identified as CVE-2024-4741. Upon checking the changelog with the command rpm -q --changelog openssl | grep -B 1 CVE-2024-4741, it appears that this vulnerability has not yet been resolved.
Backporting the Patch: If we choose this route, our goal is to ensure the patch is managed by the dnf package manager for seamless maintenance. Additionally, we want to ensure that the changelog continues to reflect any further resolutions of vulnerabilities.
Implementing Mitigation Strategies: Alternatively, we could implement effective mitigation strategies to protect our systems until an official fix is released.
I would appreciate any recommendations or insights on the best course of action.
Below is a detailed explanation of our findings and the steps we took to verify the presence of this vulnerability on our Rocky Linux 8 server running Apache HTTP and Tomcat 9.
Vulnerability Overview
The vulnerability CVE-2024-4741 is classified as low severity according to the OpenSSL Security Advisory. Due to its low severity and the absence of active exploitation, OpenSSL has not issued new releases to address this issue. See https://openssl-library.org/news/secadv/20240528.txt. Additionally, as you mentioned, RedHat’s four-point scale also classifies this vulnerability as low impact, as detailed in their CVE FAQ and security updates classification. See Severity ratings - Red Hat Customer Portal.
Relevance to Our Environment
The vulnerability is only relevant if a program calls the OpenSSL API function SSL_free_buffers. To determine if our server calls this function, we implemented the following checks:
This confirmed that the probe works correctly when the function is called.
Conclusion
Based on our thorough checks and the low severity assigned to this vulnerability, we conclude that the detection of CVE-2024-4741 is a false positive for our server. The SSL_free_buffers function is not being called, and thus, the vulnerability does not pose a risk to our environment. Please let us know if this is a valid conclusion and if any other checks or updates should be performed.