search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.59k stars 4.14k forks source link

OpenSSL 1.1.1za out of date in ARM distributions for CVE-2024-9143 #8987

Open alex-rowe opened 1 month ago

alex-rowe commented 1 month ago

Describe the issue

Similar to #8789

Tenable is reporting on ARM instances with AWS CLI installed, that the following files out out of date and should be updated to the latest 1.1.1zb OpenSSL release

  Path             : /usr/local/aws-cli/v2/2.17.65/dist/libcrypto.so.1.1
  Reported version : 1.1.1za
  Fixed version    : 1.1.1zb

  Path             : /usr/local/aws-cli/v2/2.17.65/dist/libssl.so.1.1
  Reported version : 1.1.1za
  Fixed version    : 1.1.1zb

AWS CLI was recently updated to use the 1.1.1y but that is also now considered out of date with the new za release.

Additional Information/Context

Tested on latest 2.18.9 as well

% curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64-2.18.9.zip" -o "awscliv2.zip"
% unzip awscliv2.zip
% strings aws/dist/libcrypto.so.1.1 | grep "^OpenSSL 1.1.1" 
OpenSSL 1.1.1za  3 Sep 2024
% strings aws/dist/libssl.so.1.1 | grep "^OpenSSL 1.1.1" 
OpenSSL 1.1.1za  3 Sep 2024

Reported in https://www.tenable.com/plugins/nessus/209149

Previously in #8789 we asked about statically linking in the ARM installer, the same as the AMD installer, so that these vulnerabilities stop being reported by Tenable/Nessus scanners.

CLI version used

2.18.9

Environment details (OS name and version, etc.)

Linux aarch64

tim-finnigan commented 1 month ago

Thanks for reaching out. Per OpenSSL, CVE-2024-9143 is low severity. 1.1.zb is not currently available for the AWS CLI to use, but the team can look into upgrading once it is available. As mentioned in the previous issue there are not currently plans for the ARM releases to also be statically linked.