Azure
Azure CLI files "libssl-3.dll" and "libcrypto-3.dll" are flagged for OpenSSL vulnerabilities
Describe the bug
After the installation of Azure CLI on Windows Server 2019, the Microsoft defender for cloud is flagging the 2 files "libssl-3.dll" and "libcrypto-3.dll" as a "Critical Vulnerability" due to the version installed "3.0.13.0"
Azure CLI is installed on the server and running on latest version ( 2.63.0 ) and az upgrade command was used to upgrade.
Recommendation on Defender points to CVE-2024-2511 ( https://nvd.nist.gov/vuln/detail/CVE-2024-2511 ) related to vulnerabilities regarding Denial Of Service related to TLS versions on OpenSSL libraries.
Microsoft Defender for Cloud points to c:\program files\Microsoft\sdks\azure\cli2\libcrypto-3.DLL and c:\program files\Microsoft\sdks\azure\cli2\libssl3.DLL that are on Version 3.0.13.0
Requesting for support on mitigation, as this Recommendation appears ( Critical ) on the Microsoft Defender for Cloud and also for the Vulnerability Resolution.
Additional:
According to https://www.openwall.com/lists/oss-security/2024/04/08/5
Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions
Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service
This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation.
This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.
OpenSSL 3.2, 3.1, 3.0, 1.1.1 are vulnerable to this issue.
OpenSSL 3.2 users should upgrade to OpenSSL 3.2.2 once it is released.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.6 once it is released.
OpenSSL 3.0 users should upgrade to OpenSSL 3.0.14 once it is released.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1y once it is released
Related command
No commands related to this
Errors
No errors on the commands as this is flagged on Microsoft Defender for Cloud
Issue script & Debug output
N/A
Expected behavior
Vulnerability should be addressed.
Environment Summary
{ "azure-cli": "2.63.0", "azure-cli-core": "2.63.0", "azure-cli-telemetry": "1.1.0", "extensions": { "ssh": "2.0.5" } }
Additional context
Request:
Provide an acknowledgement of the issue and if a new version is being prepared. Provide workaround for the immediate Mitigation of the Vulnerability
This file is from embedded Python. In the latest Python version, it still uses openssl 3.0.13. There is no way to fix this from Azure CLI side unless Python community fixes this.
This CVE does not affect CLI:
This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. ---https://nvd.nist.gov/vuln/detail/CVE-2024-2511
@yonzhan as per @bebound this CVE does not affect CLI, so this is a false positive from Microsoft Defender for Cloud. Does the Defender team have a Github repo where we can report this?
I don't know how to report false positive for Microsoft defender. It likely only checks the OpenSSL version and doesn't care whether it's a server or client.
We've bumped the Python version since 2.66.0, which addresses this issue.