Openssl and CVE-2022-2068

[CyberFred]

Hi Guys!

Trying to find info, I got here! and I've seen plenty of very interesting things!!

I hope anyone can help me out..

I have a server with Centos 7.9 and CWP..

problem is, after a penetration test, they say that a critical issue showed up.. and need to be fixed

CVE-2022-2068..

I have OpenSSL 1.0.2k-fips  26 Jan 2017 in the system. (this is what openssl version shows)

but in php it shows..

OpenSSL Library Version	OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version	OpenSSL 1.0.1e-fips 11 Feb 2013

 

Anyway..

I found a way to update openssl in the system.. on the CWP forum.. I followed this.. https://forum.centos-webpanel.com/index.php?topic=4441.0

yum install install gcc gcc-c++ pcre-devel zlib-devel make unzip gd-devel perl-ExtUtils-Embed libxslt-devel openssl-devel perl-Test-Simple

yum groupinstall 'Development Tools'
cd /usr/src
wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1v.tar.gz
tar xvf openssl-1.1.1v.tar.gz
mv openssl-1.1.1v openssl
cd openssl
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl --libdir=/lib64 shared zlib-dynamic
make -j4
make test
make install

mv /usr/bin/openssl /usr/bin/openssl-backup
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

Rebuild apache.

now If I do openssl version It shows 

it shows 

_SERVER["SERVER_SOFTWARE"]

Apache/2.4.57 (Unix) OpenSSL/1.1.1v

SERVER_SOFTWARE

Apache/2.4.57 (Unix) OpenSSL/1.1.1v

 

But the php openssl remains..

OpenSSL Library Version	OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version	OpenSSL 1.0.1e-fips 11 Feb 2013

I think I have to recompile php.. I did once but everything remains.. the same version.. 😞

I think I'll have to do it manually but I have the feeling I can end up breaking things in CWP..

Is there a way to update the php libraries without breaking cwp? 

thank all of you for reading and special thanks to those who can help me out!

 

Edited November 7, 2023 by CyberFred

[Sandeep B.]

centos/el uses backporting for security fixes the version will show old but the security vulnerability is already fixed via yum update

also centos 7 is ending in few months consider upgrading to almalinux8/centos 8 stream

and it is not recommended to update the openssl in centos/el OS because this will break many dependencies.

 

to upgrade apache webserver openssl you can use this tutorial 

 

[CyberFred]

Thank you Sandeep, I'm considering Rocky linux 8.8.. is alma better?

thanks!

[Sandeep B.]

12 hours ago, CyberFred said:

Thank you Sandeep, I'm considering Rocky linux 8.8.. is alma better?

thanks!

i always preferer stream OS and alma is better than rocky

[CyberFred]

6 hours ago, Sandeep B. said:

i always preferer stream OS and alma is better than rocky

Thanks Sandeep I was leaning towards rockybut if you consider alma better, then I should consider that..