OpenSSL 1.1.1za out of date in ARM distributions for CVE-2024-9143

[alex-rowe]

Describe the issue

Similar to #8789

Tenable is reporting on ARM instances with AWS CLI installed, that the following files out out of date and should be updated to the latest 1.1.1zb OpenSSL release

  Path             : /usr/local/aws-cli/v2/2.17.65/dist/libcrypto.so.1.1
  Reported version : 1.1.1za
  Fixed version    : 1.1.1zb


  Path             : /usr/local/aws-cli/v2/2.17.65/dist/libssl.so.1.1
  Reported version : 1.1.1za
  Fixed version    : 1.1.1zb

AWS CLI was recently updated to use the 1.1.1y but that is also now considered out of date with the new za release.

Additional Information/Context

Tested on latest 2.18.9 as well

% curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64-2.18.9.zip" -o "awscliv2.zip"
% unzip awscliv2.zip
% strings aws/dist/libcrypto.so.1.1 | grep "^OpenSSL 1.1.1" 
OpenSSL 1.1.1za  3 Sep 2024
% strings aws/dist/libssl.so.1.1 | grep "^OpenSSL 1.1.1" 
OpenSSL 1.1.1za  3 Sep 2024

Reported in https://www.tenable.com/plugins/nessus/209149

Previously in #8789 we asked about statically linking in the ARM installer, the same as the AMD installer, so that these vulnerabilities stop being reported by Tenable/Nessus scanners.

CLI version used

2.18.9

Environment details (OS name and version, etc.)

Linux aarch64

[tim-finnigan]

Thanks for reaching out. Per OpenSSL, CVE-2024-9143 is low severity. 1.1.zb is not currently available for the AWS CLI to use, but the team can look into upgrading once it is available. As mentioned in the previous issue there are not currently plans for the ARM releases to also be statically linked.

[ashovlin]

We missed updating this when it was addressed, but 1.1.1zb was released in 2.24.12. Additionally we moved to 1.1.1zc in 2.28.4 yesterday.

[github-actions[bot]]

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.