R Language OpenSSL Vulnerability

Hello,

We provide our data scientists with ec2 instances that have statistical analysis software on them, including r-studio. These ec2s use Amazon Linux 2. We have recently been flagged for instances that we administrate that contain versions of openssl that are vulnerable to CVE-2022-1292, and the application (tenable) flags specific r-paths like this:

/opt/R/3.6.3/lib/R/library/openssl/libs/openssl.so

This path is showing the installed path of the R openssl package, and we've so far been unable to conclusively prove if this library is part of the system installed openssl package, or if the openssl R package is installing its own openssl dependency. If I load the package in R studio and then run sessionInfo(), I'm given the following version: OpenSSL 1.0.2k-fips 26 Jan 2017 (FIPS) - this matches the installed system version, which we know to be patch for the vulnerability, but since the .so library is not being 'managed' by our system, it's flagged as vulnerable.

For contrast, here is a (not vulnerable path): /usr/local/ssl/bin/openssl, which provides the same version: OpenSSL 1.0.2k-fips 26 Jan 2017 (FIPS). The key difference is that I can run the following to definitively point to a patched version:

> rpm -qf /usr/bin/openssl                                                                                                                                                                                    
openssl-1.0.2k-24.amzn2.0.12.x86_64

Whereas if I run the above command on the R provided path, I don't get any helpful output

> rpm -qf /opt/R/3.6.3/lib/R/library/openssl/libs/openssl.so                                                                                                                                                  
file /opt/R/3.6.3/lib/R/library/openssl/libs/openssl.so is not owned by any package

The reason I was hoping to get some insight into how R/Rstudio manages system dependencies like this, and whether or not there's a way to show if they're using the underlying system package or providing their own bundled version of the openssl library.

Thanks!

Hi @linusfy -

I think the answer you are looking for depends on how R gets onto the AMI that you are supporting. This StackOverflow answer implies that there are two versions of R on linux, and if you choose the r-cran-openssl version, OpenSSL will get installed/is compiled as part of the R binary.

Best,
Randy

Thanks @randyzwitch. I work with Linus and am digging into this while he's out.

Looks like we setup the R environment on the AMI by installing r-devtools from https://cran.rstudio.com/, then installing rstudio from https://download2.rstudio.org/server/centos7/x86_64/rstudio-server-rhel-2023.03.0-386-x86_64.rpm and using yum install to install it. From there we install openssl with either (from RStudio console) install.packages("openssl") or (from a terminal) /opt/R/3.6.3/bin/R -e "install.packages('openssl')".

Based on this, does it look like this would be a fully independent install included in the package, or a consumer of the base openssl libs?

Unfortunately, I do not know the specific answer to this question. I would guess that this would use the system OpenSSL from the Linux distribution.

Best,
Randy

The openssl R package is built against the OpenSSL RPM that the linux distribution (e.g. Amazon Linux 2 in your case provides). You can check that by running ldd /opt/R/3.6.3/lib/R/library/openssl/libs/openssl.so in a terminal and you will get an output similar to (ldd is listing all the dynamically loaded libraries that a certain file is linked against).

ldd /opt/R/3.6.3/lib/R/library/openssl/libs/openssl.so 
        linux-vdso.so.1 =>  (0x00007ffc13ff8000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007f830445f000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f8303ffc000)
        libR.so => /opt/R/4.3.2/lib/R/lib/libR.so (0x00007f8303994000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f83035c6000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f8303379000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f8303090000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f8302e8c000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f8302c59000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f8302a55000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f830283f000)
        libRblas.so => /opt/R/3.6.3/lib/R/lib/libRblas.so (0x00007f830029f000)
        libgfortran.so.3 => /lib64/libgfortran.so.3 (0x00007f82fff7d000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f82ffc7b000)
        libquadmath.so.0 => /lib64/libquadmath.so.0 (0x00007f82ffa3f000)
        libreadline.so.6 => /lib64/libreadline.so.6 (0x00007f82ff7f9000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f82ff582000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f82ff35c000)
        libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f82ff14c000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f82fef44000)
        libicuuc.so.50 => /lib64/libicuuc.so.50 (0x00007f82febcb000)
        libicui18n.so.50 => /lib64/libicui18n.so.50 (0x00007f82fe7cc000)
        libgomp.so.1 => /lib64/libgomp.so.1 (0x00007f82fe5a6000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f82fe38a000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f83048e6000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f82fe17a000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f82fdf76000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f82fdd5c000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f82fdb46000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f82fd91c000)
        libicudata.so.50 => /lib64/libicudata.so.50 (0x00007f82fc349000)
        libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f82fc041000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f82fbe1a000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f82fbbb8000)

The two most important lines are the ones containing libssl.so.10 and libcrypto.so.10 which you both can trace back to the OpenSSL installation provided by the linux distribution (e.g. via rpm -qfi /lib64/libssl.so.10).

I guess if you show your IT security team the above combination of ldd and rpm -qfi you should be able to convince them that the openssl R package is using the patched version of the openssl linux software. Finally, as a proof that the installed openssl software is the patched one, get the first few lines of the changelog via rpm -q openssl-libs --changelog | head -2 which will lead to

# rpm -q openssl-libs --changelog  | head -2
* Mon Jan 29 2024 Keerthana Purushotham <keepur@amazon.com> - 1.0.2k-24.amzn2.0.12
- Fix for CVE-2024-0727
2 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.