openssl 3.0.2 vulnerability

[FliesLikeABrick]

I did not see an existing issue or discussion for this. Our team was notified by another team that our running netbox-docker image contains a vulnerable version of openssl (3.0.2) currently.

When the new version is released and adopted upstream in debian, should we expect any action needed in netbox-docker to receive the patched version from upstream? It does not appear that netbox-docker is locked onto a specific version of openssl, but I wanted to ask the question, partially for others to find this issue if they have the same questions or concerns from their security team.

As of right now, our expectation would be that a rebuild and redeploy with netbox-docker should automatically receive the fix, once it is available to debian users upstream.

What version of Debian is the container being built with, and where can we monitor to know when 3.0.7+ is available to trigger our rebuild?

Do any additional flags need to be passed to build.sh to ensure any cached metadata about available packages is purged for a complete rebuild?

Current Behavior

$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
$

Expected Behavior

Expect to see 3.0.7+ once released

Docker Compose Version

1.27.2

Docker Version

-bash-4.2$ docker version
Client: Docker Engine - Community
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:45:41 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.12
  Git commit:       459d0df
  Built:            Mon Dec 13 11:44:05 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.12
  GitCommit:        7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
-bash-4.2$

The git Revision

3f1e45f

The git Status

# On branch release
nothing to commit, working directory clean

Startup Command

docker-compose up -d

NetBox Logs

N/A

Content of docker-compose.override.yml

N/A

[kkthxbye-code]

When the new version is released and adopted upstream in debian

The base image is actually Ubuntu, Debian is actually still on OpenSSL 1.1.1, so it is not vulnerable.

As of right now, our expectation would be that a rebuild and redeploy with netbox-docker should automatically receive the fix, once it is available to debian users upstream.

Correct, when the new openssl package is released for ubuntu a rebuild should fix the image. @cimnine suggested on slack that they might cut a new release when the fixed openssl is avaliable in the repo.

As for risk, there is little for netbox proper. If you utilize webhooks or use custom scripts that sends HTTP requests over TLS, there might be a slight risk if the host you are connecting to is compromised.

[FliesLikeABrick]

Thanks @kkthxbye-code. Which Ubuntu release is the container based on, and where can we monitor to know when the updated package is available? Based on how we have netbox deployed we do not anticipate any real risk, however our security team is monitoring the patching of all systems they found to be vulnerable so we need to have the remediation deployed in a timely manner. I also added a few other questions to my original report above, at the same time as you were replying.

[FliesLikeABrick]

Looks like Ubuntu Jammy based on the fact that 3.0.2 is being used instead of 1.x or 3.0.5. In that case https://packages.ubuntu.com/jammy/openssl may be the place to monitor for information on when the upstream repositories are updated

[kkthxbye-code]

@FliesLikeABrick - Correct, the base image is ubuntu:22.04. I'm not sure where to monitor, but your link seems like the best bet.

Do any additional flags need to be passed to build.sh to ensure any cached metadata about available packages is purged for a complete rebuild?

You should be able to just run build-latest.sh if you were on the newest netbox version. Otherwise check the usage: https://github.com/netbox-community/netbox-docker/blob/release/build.sh#L9

[FliesLikeABrick]

Thanks for your help document this information here, I suspect other people will be looking for it in the coming hours/days. I think we can close this issue once the appropriate ubuntu package is released and someone has confirmed successful rebuild to pick it up

[kkthxbye-code]

@FliesLikeABrick - The following package should be it with the included backported fixes: https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.7

It's not in the repo yet, but I guess it should be soon. Just so you're not expecting the version to be 3.0.7.

[felixhuettner]

I just triggered ./build-latest.sh locally and it seems like the fixed openssl version is now present.

What would be the process now to get a new release with this fix in there?

[cimnine]

Whenever one of us maintainers has some quiet minutes, we'll merge the prepared PR #869 and proceed to the release. This will trigger new builds.

[cimnine]

The new release is made, and new images are being built and published.

[FliesLikeABrick]

For anyone looking to confirm their image has the patched package, here is the output after rebuilding the image:

-bash-4.2$ docker exec -it a85b21ee5b97 bash

unit@a85b21ee5b97:/opt/netbox/netbox$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
unit@a85b21ee5b97:/opt/netbox/netbox$ dpkg -l | grep openssl
ii openssl 3.0.2-0ubuntu1.7 amd64 Secure Sockets Layer toolkit - cryptographic utility
unit@a85b21ee5b97:/opt/netbox/netbox$

Unfortunately ubuntu kept the version at openssl3.0.2, and the build or release date still shows as March 2022. With dpkg we can see that the image has the 3.0.2-0ubuntu1.7 version which was released yesterday

[FliesLikeABrick]

openssl version -a shows the real date. "15 Mar 2022" must be preserved as the OpenSSL 3.0.2 release date.
unit@ca56c58ddbb6:/opt/netbox/netbox$ openssl version -a
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
built on: Thu Oct 27 17:06:56 2022 UTC