Ultra Messaging Knowledge Base

---

SSL Patch

Older versions of UM are linked with old, vulnerable versions of the OpenSSL libraries "libssl.so" and "libcrypto.so". Customers wishing to eliminate the vulnerable files from their systems may follow these instructions.

• SSL Patch
    • Introduction
        • Is Patching Necessary?
    • UM Versions 6.8 and Below
        • CentOS: UM 6.8 and Below
        • Ubuntu: UM 6.8 and Below
    • UM Versions 6.12 and Above

Introduction

Older versions of Ultra Messaging library (liblbm.so) are linked with old, vulnerable versions of the OpenSSL libraries "libssl.so" and "libcrypto.so". System administrators frequently deploy automated security checkers which flag the UM-supplied OpenSSL libraries as vulnerable. They request that we either remove the vulnerable files or upgrade to a newer, more-secure version of OpenSSL.

This article describes procedures for older UM version up to and including 6.8.*, and newer versions 6.12 and above. In all cases, it is assumed that UM encryption features are not being used.

For UM versons 6.9.* - 6.11.*, there is no usable patch; users must upgrade to version 6.12 or above.

Is Patching Necessary?

It could be argued that for customers that are not using the UM encryption features, there is no compelling need to make any changes. It doesn't matter if the OpenSSL functions are vulnerable since the UM library won't call any of them.

However, we understand that IT departments establish policies to ensure their systems aren't vulnerable. It's one thing to say that UM won't call the functions, but it's another thing to prove it cannot happen.

So, in an abundance of caution, the following procedures eliminate the vulnerable code altogether.

ATTENTION: in some cases we replace the older vulnerable library with a symbolic link of the same name. This might trigger a false positive on an automated system scan that assumes the name of the file alone indicates the library version. Unfortunately, for older versions of UM, the name of the link cannot be changed. Please rest assured that the link references an acceptable version.

UM Versions 6.8 and Below

The principle is to replace UM's OpenSSL libraries with your system's resident versions. It is assumed that the OpenSSL version resident on your system complies with your policies.

Two examples will be given, one on a CentOS system and the other on Ubuntu.

CentOS: UM 6.8 and Below

1. Determine where your system stores the OpenSSL libraries.

   $ ldd $(which ssh) | egrep libcrypto
           libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007facbd1ff000)
   

   The desired libcrypto is after the "=>": /lib64/libcrypto.so.1.1. Note the directory "/lib64".

2. Using the directory determined from step 1, identify the latest libssl.so.* file.

   $ ls -F /lib64/libssl.so.*
   /lib64/libssl.so.1.1@  /lib64/libssl.so.1.1.1g*
   

   The "-F" flag adds a suffix character. Ignore the "@" file since it's a symbolic link. The "" means executable, so the desired library is /lib64/libssl.so.1.1.1g (without the "").

3. rename the vulnerable files. Substitute your UM location on the "cd" command.

   $ cd $HOME/UMP_6.7.1.7/Linux-glibc-2.5-x86_64/lib
   $ ls libssl.so.* libcrypto.so.*
   libcrypto.so.1.0.0   libssl.so.1.0.0
   $ mv libcrypto.so.1.0.0 libcrypto.so.1.0.0.insecure
   $ mv libssl.so.1.0.0 libssl.so.1.0.0.insecure
   

4. Create symbolic links for the files.

   $ ln -s /lib64/libssl.so.1.1.1g libssl.so.1.0.0
   $ ln -s /lib64/libcrypto.so.1.1 libcrypto.so.1.0.0
   

Once this patch is tested, the *.insecure libraries can be deleted.

Ubuntu: UM 6.8 and Below

1. Determine where your system stores the OpenSSL libraries.

   $ ldd $(which ssh) | egrep libcrypto
           libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007ff30e7e3000)
   

   The desired libcrypto is after the "=>": /lib/x86_64-linux-gnu/libcrypto.so.1.1. Note the directory "/lib/x86_64-linux-gnu".

2. Using the directory determined from step 1, identify the latest libssl.so.* file.

   $ ls -F /lib/x86_64-linux-gnu/libssl.so.*
   /lib/x86_64-linux-gnu/libssl.so.1.1
   

   No symbolic link was found, and the library is not executable. But that's OK, it's the right one.

3. rename the vulnerable files. Substitute your UM location on the "cd" command.

   $ cd $HOME/UMP_6.7.1.7/Linux-glibc-2.5-x86_64/lib
   $ ls libssl.so.* libcrypto.so.*
   libcrypto.so.1.0.0   libssl.so.1.0.0
   $ mv libcrypto.so.1.0.0 libcrypto.so.1.0.0.insecure
   $ mv libssl.so.1.0.0 libssl.so.1.0.0.insecure
   

4. Create symbolic links for the files.

   $ ln -s /lib/x86_64-linux-gnu/libssl.so.1.1 libssl.so.1.0.0
   $ ln -s /lib/x86_64-linux-gnu/libcrypto.so.1.1 libcrypto.so.1.0.0
   

Once this patch is tested, the *.insecure libraries can be deleted.

UM Versions 6.12 and Above

Starting with UM version 6.12, UM does not link directly with the OpenSSL libraries. Instead, they are loaded only if UM encryption features are used.

So with UM version 6.12 and above, move the vulnerable files to /tmp. Substitute your UM location on the "cd" command.

$ cd $HOME/UMP_6.12.1/Linux-glibc-2.17-x86_64/lib
$ ls libssl.so.* libcrypto.so.*
libcrypto.so.1.0.0   libssl.so.1.0.0
$ mv libcrypto.so.1.0.0 libcrypto.so.1.0.0.insecure
$ mv libssl.so.1.0.0 libssl.so.1.0.0.insecure

Once this patch is tested, the *.insecure libraries can be deleted.

---

KB Home | Index

UM Home

See Notices for important information.