Nagios Support Forum

RHEL 8.8 server

Nessus Plugin: 171080
OpenSSL 1.0.2 < 1.0.2zg Multiple Vulnerabilities

Plugin Output:
Reported version : 1.0.2k
Fixed version : 1.0.2zg

I think it is referring to /usr/local/ncpa/libssl.so.10 which comes from the NCPA RPM (v2.4.1-1el8)

From another part of the scan report:

We are unable to retrieve version info from the following list of OpenSSL files. However, they may include their OpenSSL version in full or part at the end of their names.

e.g. libssl.so.3 (OpenSSl 3.x), libssl.so.1.1 (OpenSSL 1.1.x)

/usr/lib64/libcrypto.so.1.1.1k
/usr/lib64/libssl.so.1.1.1k
/usr/local/ncpa/libssl.so.10

Any ideas how to verify that /usr/local/ncpa/libssl.so.10 is the offending file and what version it contains ?

Hi @nasa_dan, thanks for reaching out.

With our most recent release of NCPA, we decided to build the program on CentOS 7 and get a working distributable from that for all of Enterprise Linux 7/8/9. Because of how NCPA gets built, it ends up shipping a bunch of isolated system packages, including the system's openssl.

My recommendation is that you don't take those scanner results to heart - CentOS 7 reports using Openssl 1.0.2k-fips, but the package is also subject to Red Hat's backporting policy. Most of the vulnerabilities found in that package are patched by the RHEL team.

If that doesn't work for you, you might also be able to use the NCPA 3 beta - the functionality should be completely backward compatible, but IIRC we're using Python 3 and OpenSSL 3 instead of Python 2 and OpenSSL 1.x.

Hopefully that helps - let me know if you have any further questions or concerns.