Addressing OpenSSL Vulnerability CVE-2024-4741

Hello Rocky Linux Community,

I am seeking advice on the best approach to address the OpenSSL vulnerability identified as CVE-2024-4741. Upon checking the changelog with the command rpm -q --changelog openssl | grep -B 1 CVE-2024-4741, it appears that this vulnerability has not yet been resolved.

I found a potential patch on GitHub: OpenSSL 1.1.1 at Releases · kzalewski/openssl-1.1.1 · GitHub

Our options include:

Backporting the Patch: If we choose this route, our goal is to ensure the patch is managed by the dnf package manager for seamless maintenance. Additionally, we want to ensure that the changelog continues to reflect any further resolutions of vulnerabilities.
Implementing Mitigation Strategies: Alternatively, we could implement effective mitigation strategies to protect our systems until an official fix is released.
I would appreciate any recommendations or insights on the best course of action.

Thank you!

Bill

Red Hat deems the issue to be low impact: https://access.redhat.com/security/cve/CVE-2024-4741

Do you have applications that call the SSL_free_buffers() function of the openssl library?

Hi,

Thank you for your response.

Below is a detailed explanation of our findings and the steps we took to verify the presence of this vulnerability on our Rocky Linux 8 server running Apache HTTP and Tomcat 9.

Vulnerability Overview

The vulnerability CVE-2024-4741 is classified as low severity according to the OpenSSL Security Advisory. Due to its low severity and the absence of active exploitation, OpenSSL has not issued new releases to address this issue. See https://openssl-library.org/news/secadv/20240528.txt. Additionally, as you mentioned, RedHat’s four-point scale also classifies this vulnerability as low impact, as detailed in their CVE FAQ and security updates classification. See
Severity ratings - Red Hat Customer Portal.

Relevance to Our Environment

The vulnerability is only relevant if a program calls the OpenSSL API function SSL_free_buffers. To determine if our server calls this function, we implemented the following checks:

  1. Symbol Inspection with nm:
  • Command: nm /usr/local/apache2/bin/httpd | grep SSL_free_buffers
  • Result: No output, indicating the function is not present in the Apache HTTP binary.
  1. Shared Libraries Review:
  • Command: ldd /usr/local/apache2/bin/httpd
  • Result: The output showed no shared libraries linked with OpenSSL, confirming that Apache HTTP does not use OpenSSL directly.
linux-vdso.so.1 (0x00007ffee1b65000)
libpcre2-8.so.0 => /usr/lib64/libpcre2-8.so.0 (0x00007f76c1c18000)
libaprutil-1.so.0 => /usr/lib64/libaprutil-1.so.0 (0x00007f76c19e9000)
libcrypt.so.1 => /usr/lib64/libcrypt.so.1 (0x00007f76c17c0000)
libdb-5.3.so => /usr/lib64/libdb-5.3.so (0x00007f76c13fc000)
libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f76c11c0000)
libapr-1.so.0 => /usr/lib64/libapr-1.so.0 (0x00007f76c0f86000)
libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007f76c0d66000)
libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007f76c0b62000)
libc.so.6 => /usr/lib64/libc.so.6 (0x00007f76c078c000)
libuuid.so.1 => /usr/lib64/libuuid.so.1 (0x00007f76c0584000)
libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 (0x00007f76c0099000)
/lib64/ld-linux-x86-64.so.2 (0x00007f76c1e9c000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00007f76bfe81000)
  1. Module Inspection with nm:
  • Command: nm /usr/local/apache2/modules/mod_ssl.so | grep SSL_free_buffers
  • Result: No output, indicating the function is not present in the mod_ssl module.
  1. Runtime Check with ltrace:
  • Command: ltrace -e SSL_free_buffers -f -o ltrace_output.txt /usr/local/apache2/bin/httpd
  • Result: No output, confirming that the function is not called during runtime.
  1. SystemTap Probe:
  • Command: stap -e 'probe process("/usr/lib64/libssl.so.1.1").function("SSL_free_buffers") { printf("SSL_free_buffers called\n"); }'
  • Result: The probe did not get triggered during operations on the website and server.

Verification with Test Program

To further verify, we created a test program that explicitly calls SSL_free_buffers:

#include <openssl/ssl.h>

int main() {
    SSL_CTX *ctx = SSL_CTX_new(TLS_method());
    SSL *ssl = SSL_new(ctx);
    SSL_free_buffers(ssl);
    SSL_free(ssl);
    SSL_CTX_free(ctx);
    return 0;
}
  • Compilation: gcc -o test_ssl test_ssl.c -lssl -lcrypto
  • Execution: ./test_ssl
  • Probe Output: SSL_free_buffers called

This confirmed that the probe works correctly when the function is called.

Conclusion

Based on our thorough checks and the low severity assigned to this vulnerability, we conclude that the detection of CVE-2024-4741 is a false positive for our server. The SSL_free_buffers function is not being called, and thus, the vulnerability does not pose a risk to our environment. Please let us know if this is a valid conclusion and if any other checks or updates should be performed.

Thank you for your assistance.

Best regards,

Bill

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.