03/25/2021, 3:27 PM
Now we have the openssl vulnerability. https://www.openssl.org/news/secadv/20210325.txt
An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates.
In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.
3:28 PM
Oh hey, I probably know the reporter.
Mike Myers

Mike Myers

03/25/2021, 4:09 PM
I see. Then we appear not to be affected. But we ought to update anyway because someone will run Black Duck Software and see "osquery has a high severity CVE in openssl dependency"


03/25/2021, 4:41 PM
I like the concept of Black Duck but those style false positives are not fun to deal with.


03/25/2021, 7:43 PM
Feature request: migrate to BoringSSL


03/30/2021, 4:08 PM
As a near-complete-outsider to osquery, can I take @Mike Myers' statement "we appear not to be affected" as official word from OSQuery? Or will there be further investigation/announcement planned?
Mike Myers

Mike Myers

03/30/2021, 4:10 PM
The upgrade to latest OpenSSL is merged in the master branch already, but yea the consensus seems to be we are not affected by the issue because we don't use the (non-default) affected set of TLS flags and configuration. If you want, you can come to office hours at the top of the hour (see #officehours ) and we can discuss more.