Tweet
Hi Folks,
Apologies if this is not the correct forum location. I've checked and cannot see any recent posts in relation to this so hoping someone can help advise. I am currently looking after multiple cPanel based servers running mainly CentOS7.9 with cPanel installed. Our most recent iteration of a threat scan is reporting vulnerabilities with the installed version of OpenSSL provided by the alt-openssl package from the Imunify360 repository as below.
Solution
Upgrade to OpenSSL version 1.1.1v or later.
Plugin Output
Path : /opt/alt/openssl11/lib64/libssl.so.1.1
Reported version : 1.1.1p
Fixed version : 1.1.1v
Package : alt-openssl-1:1.0.2k-2.el7.cloudlinux.10.x86_64
State : Dep-Install
Size : 1,340,834
Build host : build.cloudlinux.com
Build time : Fri Jun 30 09:37:55 2017
Packager : CloudLinux Packaging Team <packager@cloudlinux.com>
Vendor : CloudLinux
License : OpenSSL
URL : http://www.openssl.org/
Source RPM : alt-openssl-1.0.2k-2.el7.cloudlinux.10.src.rpm
Commit Time : Thu Jun 29 13:00:00 2017
The scan in question does appear to be referring to CVE-2023-3446 mostly which I can see is no longer in the support scope of RHEL as per https://access.redhat.com/security/cve/cve-2023-3446 so the base version will not be receiving a patch. The same issue has been found with the ea-openssl package but this has since been patched within a recent update as per https://docs.cpanel.net/changelogs/e...hange-log-2023 in release EA-11578. Are you able to confirm if the alt-openssl package provided by the cloudlinux/imunify will be getting an update and any possible timeline for this? If there is no planned patch then confirmation of this is fine as I can push for migration/upgrades to an updated OS.
Thanks in advance.
Fazz
Comment