Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] -Azure Service Fabric OpenSSL version 3.1.0.0 vulnerability #1487

Open
keithwlt opened this issue Mar 11, 2024 · 0 comments
Open

[BUG] -Azure Service Fabric OpenSSL version 3.1.0.0 vulnerability #1487

keithwlt opened this issue Mar 11, 2024 · 0 comments
Labels
type-code-defect Something isn't working

Comments

@keithwlt
Copy link

Describe the bug
Azure Service Fabric appears to be using OpenSSL version 3.1.0.0 which has a vulnerability as detailed in CVE-2023-2650.

Area/Component:
Azure Service Fabric OpenSSL version 3.1.0.0

To Reproduce
Steps to reproduce the behavior:

  1. Create a new Service Fabric cluster from the Azure portal. Use WindowsServer 2019-Datacenter for the Operation System. Service Fabric version used was 10.1.1541.9590
  2. After the cluster is deployed, login to one of the deployed virtual machines
  3. Check the version information on these files, they both show Version: 3.1.0.0.
  • c:\program files\microsoft service fabric\bin\fabric\fabric.code\libcrypto-3-x64.dll
  • c:\program files\microsoft service fabric\bin\fabric\fabric.code\libssl-3-x64.dll

Expected behavior
Update needed to OpenSSL version used by Azure Service Fabric

Observed behavior:
Check the version information on these files, they both show Version: 3.1.0.0.

  • c:\program files\microsoft service fabric\bin\fabric\fabric.code\libcrypto-3-x64.dll
  • c:\program files\microsoft service fabric\bin\fabric\fabric.code\libssl-3-x64.dll

Screenshots
msedge_YWRm1MaMvp

Service Fabric Runtime Version:
10.1.1541.9590
10.0.1949.9590

Environment:

  • Azure
  • OS: Windows Server 2019
  • Version 10.1.1541.9590

If this is a regression, which version did it regress from?

Additional context
I reported this through MSRC and they just closed the case.


Assignees: /cc @microsoft/service-fabric-triage

@keithwlt keithwlt added the type-code-defect Something isn't working label Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-code-defect Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant