0

I run a linux AMI on AWS with version 1.0.1k of openssl

$ openssl version -v
OpenSSL 1.0.1k-fips 8 Jan 2015

PCI compliance requires a version greater than 1.0.1p because they claim that there are known security issues with older versions. When I try to update the openssl package on the machine using 'yum' I am told that openssl is up to date.

$ sudo yum update openssl
No packages marked for update

Does anyone else have a similar problem? Is it possible to install the latest openssl on the Linux AMI? Is the Linux AMI not capable of being PCI compliant?

For background, I am using Amazon Linux AMI release 2015.09

$ cat /etc/*-release
Amazon Linux AMI release 2015.09
Mika
  • 101
  • 1
  • 4
  • So what you are saying is that I should flag a false positive because AWS back fixes the version of openssl I am running. – Mika Sep 29 '15 at 08:57
  • 2
    I have absolutely no idea what, if anything, Amazon does with Amazon Linux security issues. You will need documentation from them that the issues are fixed in a particular package, and I've never heard of Amazon supplying security notices. Combined with Amazon Linux not being a stable platform to begin with, I wouldn't recommend you use it at all. – Michael Hampton Sep 29 '15 at 09:00
  • The whole "don't use it at all" is not a good answer to any question other than "what should I use" AMI security bulletins: https://alas.aws.amazon.com/index.html They even have an RSS feed: https://alas.aws.amazon.com/alas.rss If you " have absolutely no idea what, if anything, Amazon does with Amazon Linux security issues" why are you advising on that subject? – Craig Jacobs Mar 02 '17 at 15:10

1 Answers1

0

The reason why the scans are failing is likely because the server signature has "openssl/1.0.1k" in the "Server" header response. That's the only way the scanner would know anything about what version of openssl is running.

If you want the scans to pass you can try simply turning off ServerSignature in your web server. This removes "openssl/1.01k" from the http response headers and the scan won't pick up on the old version number any more.

Since we know Amazon does backport all CVE fixes as noted this is perfectly safe to do.

Jason
  • 1
  • It also means if in fact you are running an older, non-compliant version of OpenSSL, the only way they would know is if the vulnerabilities which are supposedly there are actually exploitable. Why security companies don't bother verifying the presence of a vulnerability and instead rely on version information in server signatures is a mystery to me. – Phil Mar 02 '18 at 04:15