OpenSSL 3.0.7 update (2022-11-01) FAQ

hexa · October 31, 2022, 3:00pm

What is this post about?

Tomorrow (2022-11-01) the OpenSSL team will release a critical security update to their 3.0 tree. See the official announcement.

What does critical mean?

Critical means, that the upcoming vulnerability is likely exploitable in a common configuration scenario. See /policies/general/security-policy.html for the full explanation.

CVE-2022-3602 has meanwhile been downgraded to HIGH severity, as it is probably not exploitable

How do I know if I am affected?

The NixOS 22.05 release still defaults to OpenSSL 1.1 and is mostly unafffected with the exception of the nginx HTTP server, which has been overriden to use OpenSSL 3.0.
NixOS unstable on the other hand uses OpenSSL 3.0 by default and will therefore be widely affected.

How will this issue be handled within nixpkgs?

For the stable release we plan to push the upgrade directly into release-22.05, given the minimal rebuild amount involved.
For the unstable release we plan to merge the update into the running staging-next cycle, that is in an overall good state, and then shortly thereafter into master.
Once the upgrades reach the master and release-22.05 branches, we will immediately trigger an update to the respective -small channels, since they are more likely to be used by infrastructure. They also provide the basis for the nixos-unstable and nixos-22.05 channels, which will follow shortly thereafter.

When do the updates arrive on the channels?

We will add links to the nixpk.gs PR tracker here once the relevant pull requests are up.

NixOS Unstable: https://nixpk.gs/pr-tracker.html?pr=198999
NixOS 22.05: https://nixpk.gs/pr-tracker.html?pr=199001

What can I do to mitigate the issue right now?

On NixOS 22.05 you can downgrade the OpenSSL version used by nginx, unless you explicitly enabled and are relying on kTLS:
```
nixpkgs.overlays = [
  (final: prev: {
    nginxStable = prev.nginxStable.override { openssl = pkgs.openssl_1_1; };
  })
];
```
via https://xeiaso.net/blog/nixos-nginx-openssl-1.x
An overlay for NixOS unstable, that downgrades the openssl attribute is not recommended, given that it is very expensive to build and entirely untested.
Consider disabling or restricting exposed services for the time being, where possible.

What can I do to mitigate the issue, once the update is available?

If you’re not in a hurry, wait for the channels to catch up and rebuild.

If you’re in a hurry you can replace the OpenSSL runtime dependency without doing a full rebuild:

system.replaceRuntimeDependencies =
  let
    nixpkgsfixed = builtins.fetchTarball "https://github.com/NixOS/nixpkgs/archive/eeca5969b3f42ac943639aaec503816f053e5e53.tar.gz";
    inherit (pkgs.callPackage (nixpkgsfixed + "/pkgs/development/libraries/openssl") {}) openssl_3;
  in
  builtins.map
    (output: {
      original = pkgs.openssl_3.${output};
      replacement =openssl_3.${output};
    })
    # Needs to be toposorted so that the original package is not reintroduced into the closure.
    [ "out" "doc" "debug" "man" "bin" "dev"];

via yuka & Jan Tojnar

Who authored this?

This FAQ was prepared by multiple people in the #security-discuss:nixos.org room on Matrix.

TLATER · October 31, 2022, 4:48pm

nix-store -qR /run/current-system | grep openssl

followed by a

nix why-depends --all /run/current-system /nix/store/<some-openssl-3>

can also give a quick run-down of what packages you have installed that currently depend on openssl 3.x, and is a bit more generic than relying on having only 22.05 packages installed.

Edit: @ElvishJerricco is right, without --all only the first hit will be listed

ElvishJerricco · October 31, 2022, 4:51pm

I would recommend adding --all to that why-depends command.

hexa · November 1, 2022, 3:48pm

OpenSSL 3.0.7 is out, the pull request for staging-next is up and labeled for backport. Was just merged.

https://github.com/NixOS/nixpkgs/pull/198999

Solene · November 1, 2022, 3:59pm

The NixOS community have been greatly responsive to this security issue announcement, thank you very much for all the clear explanations

hexa · November 1, 2022, 4:12pm

Random updates:

Filo Sottile is looking into the vulnerability live on Twitch right now.
CVE-2022-3602 was downgraded from CRITICAL to HIGH severity
The advisory is available at https://www.openssl.org/news/secadv/20221101.txt
The fix for CVE-2022-3602 is Fix CVE-2022-3602 in punycode decoder. · openssl/openssl@fe3b639 · GitHub
Eval for staging-next is running currently, 22.05-small is following next

bb010g · November 1, 2022, 4:12pm

The release-22.05 backport PR has also just been merged:

https://github.com/NixOS/nixpkgs/pull/199001

PR tracker: https://nixpk.gs/pr-tracker.html?pr=199001

yureka · November 1, 2022, 4:15pm

I have patched my systems with the replaceRuntimeDependencies option:

  system.replaceRuntimeDependencies = [
    ({
      original = pkgs.openssl.out;
      replacement = let
        nixpkgsfixed = builtins.fetchTarball "https://github.com/NixOS/nixpkgs/archive/eeca5969b3f42ac943639aaec503816f053e5e53.tar.gz";
        inherit (pkgs.callPackage (nixpkgsfixed + "/pkgs/development/libraries/openssl") {}) openssl_3;
      in openssl_3.out;
    })
  ];

Had to add --impure because replaceRuntimeDependencies runs into errors with pure eval mode otherwise.

EDIT: previous version was broken, because it replaced only the occurrences of the .bin output