NPM affected by OpenSSL Vulnerabilities: CVE-2023-0215, CVE-2023-0286, CVE-2022-4304, CVE-2022-4450

[TheDuggem]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
OpenSSL, has released security updates for 3.0, 1.1.1, and 1.0.2 versions. NPM does not have the fixes.

• CVE-2023-0215: Use-after-free following BIO_new_NDEF. Moderate severity; bug affects all versions (3.0, 1.1.1, 1.0.2).
• CVE-2023-0286: X.400 address type confusion in X.509 GeneralName. High severity; bug affects all versions (3.0, 1.1.1 and 1.0.2).
• CVE-2022-4304: Timing Oracle in RSA Decryption. Moderate severity; bug affects all versions (3.0, 1.1.1 and 1.0.2).
• CVE-2022-4450: Double free after calling PEM_read_bio_ex. Moderate severity; bug affects versions 3.0 and 1.1.1 only.

Nginx Proxy Manager Version
v2.9.19

To Reproduce
Start a bash session on the NPM container...
Version 2.9.19 (5920b0c) 2022-11-08 04:56:39 UTC, OpenResty 1.19.9.1, debian 10 (buster), Certbot certbot 1.31.0
Base: debian:buster-slim, linux/amd64
Certbot: nginxproxymanager/nginx-full:latest, linux/amd64
Node: nginxproxymanager/nginx-full:certbot, linux/amd64

[root@docker-10121090ab74:/app]# apt list --installed openssl
Listing... Done
openssl/now 1.1.1n-0+deb10u3 amd64 [installed,local]

Expected behavior
OpenSSL version 1.1.1t should be installed.

Operating System
All? Definitely amd64.

Additional context
Issue and CVEs addressed are described at https://nakedsecurity.sophos.com/2023/02/08/openssl-fixes-high-severity-data-stealing-bug-patch-now/

Version 1.1.1t is not available in Debian Buster repo at the time of this report:

[root@docker-10121090ab74:/app]# apt update
Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Get:2 http://deb.debian.org/debian-security buster/updates InRelease [34.8 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [56.6 kB]
Get:4 https://deb.nodesource.com/node_16.x buster InRelease [4584 B]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7909 kB]
Get:6 https://deb.nodesource.com/node_16.x buster/main amd64 Packages [773 B]
Get:7 http://deb.debian.org/debian-security buster/updates/main amd64 Packages [431 kB]
Get:8 http://deb.debian.org/debian buster-updates/main amd64 Packages [8788 B]
Fetched 8567 kB in 4s (2270 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
15 packages can be upgraded. Run 'apt list --upgradable' to see them.

[root@docker-10121090ab74:/app]# apt list --upgradable
Listing... Done
curl/oldstable 7.64.0-4+deb10u4 amd64 [upgradable from: 7.64.0-4+deb10u3]
git-man/oldstable 1:2.20.1-2+deb10u7 all [upgradable from: 1:2.20.1-2+deb10u4]
git/oldstable 1:2.20.1-2+deb10u7 amd64 [upgradable from: 1:2.20.1-2+deb10u4]
libcurl3-gnutls/oldstable 7.64.0-4+deb10u4 amd64 [upgradable from: 7.64.0-4+deb10u3]
libcurl4/oldstable 7.64.0-4+deb10u4 amd64 [upgradable from: 7.64.0-4+deb10u3]
libgssapi-krb5-2/oldstable 1.17-3+deb10u5 amd64 [upgradable from: 1.17-3+deb10u4]
libk5crypto3/oldstable 1.17-3+deb10u5 amd64 [upgradable from: 1.17-3+deb10u4]
libkrb5-3/oldstable 1.17-3+deb10u5 amd64 [upgradable from: 1.17-3+deb10u4]
libkrb5support0/oldstable 1.17-3+deb10u5 amd64 [upgradable from: 1.17-3+deb10u4]
libksba8/oldstable 1.3.5-2+deb10u2 amd64 [upgradable from: 1.3.5-2+deb10u1]
libtasn1-6/oldstable 4.13-3+deb10u1 amd64 [upgradable from: 4.13-3]
linux-libc-dev/oldstable 4.19.269-1 amd64 [upgradable from: 4.19.260-1]
ncurses-base/oldstable 6.1+20181013-2+deb10u3 all [upgradable from: 6.1+20181013-2+deb10u2]
ncurses-bin/oldstable 6.1+20181013-2+deb10u3 amd64 [upgradable from: 6.1+20181013-2+deb10u2]
nodejs/unknown 16.19.0-deb-1nodesource1 amd64 [upgradable from: 16.18.1-deb-1nodesource1]

[root@docker-10121090ab74:/app]# apt install openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssl is already the newest version (1.1.1n-0+deb10u3).
0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.

[rainyskye]

@jc21 - Is there a plan for providing an updated version?

Thanks :)

[wingcomm]

Pretty curious about this as well...

[TheDuggem]

Updating this issue to note that openssl 1.1.1n-0+deb10u4 is available in the Debian Buster repo. See https://tracker.debian.org/news/1422335/accepted-openssl-111n-0deb10u4-source-into-oldstable/

apt list --upgradable
Listing... Done
[...]
openssl/oldstable 1.1.1n-0+deb10u4 amd64 [upgradable from: 1.1.1n-0+deb10u3]

Building the container locally is a workaround until an updated image is posted.

[wingcomm]

Yeah its good to know that there is a workaround. However, I think this a good warning to anyone thinking of using this in production. You can't rely on the package maintain to patch your containers.

[jc21]

Until the next release you can use the github-develop docker tag which includes openssl 1.1.1n-0+deb10u4.

[jc21]

Resolved in v2.9.20