Information on Authentication Manager 8.x and the use of OpenSSL (old)
2 months ago
Originally Published: 2024-05-21
Article Number
000072289
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
Customers report that their scanning software product generated a report suggesting that Authentication Manager is showing one or more OpenSSL vulnerabilities.

This article provides information on Authentication Manager and OpenSSL.
Resolution

A note from CE

RSA Authentication Manager does not implement OpenSSL. It is part of the SUSE Linux Enterprise Server distro on which Authentication Manager runs and the SUSE Linux Enterprise Server distro comes from SUSE where you can find more information.

We do not have specific information about how other components use openssl (or libopenssl) but briefly, these are the component packages which depend upon openssl (for the Authentication Manager 8.7 SP1 appliance):

openssl-1_1:

  • ca-certificates

libopenssl1_1:

  • clamav
  • freeradius-server
  • freeradius-server-libs
  • freeradius-server-utils
  • iputils-s20161105
  • kmod
  • krb5
  • libarchive13
  • libclamav9
  • libcryptsetup12
  • libcurl4 libdns1605
  • libevent
  • libfido2
  • libfreshclam2
  • libisc1606
  • libkmod2
  • libldap
  • libpq5
  • librdkafka1
  • libsnmp40
  • libssh4 libvmtools0
  • libxmlsec1-openssl1
  • libzypp mailx
  • net-snmp
  • open-vm-tools
  • openslp
  • openssh-clients
  • openssh-common
  • openssh-server
  • openssl
  • perl-Net-SSLeay
  • postgresql14
  • postgresql14-contrib
  • postgresql14-server
  • python3-base
  • rsyslog
  • tcpdump
  • w3m
  • wget

To see the dependencies for a package,
  1. SSH to the server as the rsaadmin user.
  2. Once logged in, elevate privilege to root with the command sudo su -.
  3. Use rpm in "test" mode to attempt to remove a package. For example, rpm -e --test libopenssl1_1

 * * *

OpenSSL components get upgraded as part of an operating system upgrade. When this happens, we patch Authentication Manager as necessary.

Please see:
  • OpenSSL 1.1.1 < 1.1.1t Multiple Vulnerabilities
Incorrectly reported. For example: https://www.suse.com/security/cve/CVE-2023-0286.html. This is a scanner error – the scanner seems to think the customer is building their own openssl release from the openssl.org 1.1.1t source code.  We use packages from SUSE which are compatible with our appliance.  SUSE’s openssl 1.1 is based on 1.1.1d code with all of the subsequent CVE fixes applied to that base source code.
 
CVE-2023-0286 is resolved in Authentication Manager 8.7 patch 4 (released May 2023) and listed in the RSA-2023-06: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities | RSA Community.

For Authentication Manager 8.7 SP2 patch 2 (release May 2024), SLES has openssl version openssl-1_1-1.1.1d-150200.11.851. This version adds the fix for CVE -2024-0727
Notes
If you prove that your Authentication Manager server or Web Tier is using openssl 1.1.1d with the openssl -version command, but your credentialed scan is still flagging these openssl vulnerabilities, you will need to contact your scan software's support team to determine why they are flagging this as an issue.

There are sub-versions of openssl v. 1.1.1d, so one possibility is that your scan software decided that your version of openssl 1.1.1d is not = or > 1.1.1d-11.20.1 or > 1.1.1d-9.9 (see  the article on CVE-2016-0702 Common Vulnerabilities and Exposures that is posted on suse.com for more information.

* * *

The RSA technical support team does use the OpenSSL components that come with the operating system to perform some troubleshooting tasks. For example,
  • To verify TLS  is configured correctly:
openssl -version
  • To check replication:
openssl s_client -connect <IP address or FQDN>:7002
  • To get raw certificate data which can be copied and exported:
openssl s_client -connect <IP address or FQDN>:636

Related Articles

Trending Articles

Don't see what you're looking for?