5

According to Ubuntu's CVE-2022-0778 this release should address the CVE. However, when I look at the OpenSSL version I can't really tell that it is 1.1.1n. I do see that it was built on Mar 9 prior to:

  • OpenSSL making the source available to the public
  • Ubuntu distro managers importing OpenSSL 1.1.1n into their repo (which may just be a public facing repo)

So, how would I know that this is truly 1.1.1n?

Ubuntu 18.04 system after upgrade

OpenSSL 1.1.1  11 Sep 2018
built on: Wed Mar  9 12:13:40 2022 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,
--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-vxXVMf/openssl-1.1.1=. 
-fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE 
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM 
-DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM 
-DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM 
-DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

Distro Maintainer

Ubuntu Repo: https://git.launchpad.net/ubuntu/+source/openssl

Tags:

* 3b83ed56dea2b735e31731fd042b52ff869f9a97 - 
(tag: import/1.1.1n-1, origin/debian/sid) 1.1.1n-1 
(patches unapplied) (c: Wed, 16 Mar 2022 04:33:58 +0000) 
(a: Tue, 15 Mar 2022 19:46:18 +0100) <Sebastian Andrzej Siewior>%

applied/1.1.1n-1
*   d4d5eeef3576b16013c48abc435c5da889cedf1b - (tag: applied/1.1.1n-1, 
origin/applied/debian/sid) 1.1.1n-1 (patches applied) 
(c: Wed, 16 Mar 2022 04:33:58 +0000) 
(a: Tue, 15 Mar 2022 19:46:18 +0100) <Sebastian Andrzej Si
Laurel
  • 129
  • 7
Peter Kahn
  • 207
  • 3
  • 11

3 Answers3

6

Once a security update is in status released, the simple thing to do is apply updates, apt update && apt upgrade

Consider implementing some kind of patch management report to confirm all hosts are updated and compliant. These range from simple scripts to products you might buy.

So, how would I know that this is truely 1.1.1n?

Ubuntu's fix for CVE-2022-0778 is not 1.1.1n. Like other stable distributions, they have a habit of backporting only the specific fix to their chosen version. Read the table again, and notice that bionic is openssl 1.1.1-1ubuntu2.1~18.04.15 The funny-looking version string appended at the end is important, it indicates which build.

build on Mar 9 prior to openssl making the source available to the public

It takes time to build and test software. Ubuntu, like other distros, is on a list to get notified prior to general announcement. Reduces time users are exposed to flaws.

A build date is a good sanity check that you have the required patch level, but realize it is possible to be built before upstream's announcement without needing a time machine.

Ubuntu distro managers importing openssl 1.1.1n into their repo (which may just be a public facing repo)

Beware making conclusions about what in version control actually goes into a fix for your version. Based on the branch names, that probably has to do with Ubuntu comparing to Debian sid or upstream releases. Not bionic.

Refer to the security advisory.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
5

So, how would I know that this is truely 1.1.1n?

it won't be 1.1.1n as, as John Mahowald says, Ubuntu will have backported the fix into their supported version for 18.04 which from the linked table is 1.1.1-1ubuntu2.1~18.04.15.

You can find out what openssl packages are installed on your system using

apt list --installed | grep openssl

You can examine the changelog to see what updates have been applied/backported

apt-get changelog openssl

or even look on the Ubuntu changelog server.

The changelog confirms that openssl 1.1.1-1ubuntu2.1~18.04.15 has patches applied for CVE-2022-0778.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • For Ubuntu 20.04.4 LTS, I assume the patch is in openssl 1.1.1f as per changelog: * openssl (1.1.1f-1ubuntu2.12) focal-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod. – Benjamin Hastings Mar 22 '22 at 16:43
  • No need to assume, the security advisory says focal is 1.1.1f-1ubuntu2.12. Again, the release string at the end is important to indicate which build has the backported fix - upstream 1.1.1f is 31 Mar 2020 and does not have this. A package change log is nice to confirm, but the primary reference should be the advisory. – John Mahowald Mar 22 '22 at 19:02
0

Type

openssl version

At command prompt

Mine gives

OpenSSL 1.1.1m 14 Dec 2021

user2829154
  • 1
  • 1
    OpenSSL version is unfortunately not enough, because backports exist. This is the same mistake that unsophisticated vulnerability scans make. Read the advisory. – John Mahowald Mar 23 '22 at 16:40
  • I'm guessing a backport would also show a different version string if it is a different version: It is calling openssl directly. – user2829154 Mar 23 '22 at 19:28