Hi,
Library located at /omd/versions/default/lib/seccli/libssl.so.1.0.0 was reported with vulnerable and described here https://www.openssl.org/news/vulnerabilities.html.
How do I solve this vulnerability?
What vulnerability you mean exactly? The link only shows the complete list of some hundred entries.
The other point is this lib is part of the “EMC Navisphere CLI” and only used for access to EMC storage devices.
Hi both, the main issue is: When you run an application and it uses potentially vulnerable “modules”, you have to answer the neverending vulnerability list.
It will be the same here - a scanner will just compare library versions and push out a list of potentially vulnerable parts. We have to address this, either by “deleting” or “deactivating” those modules or addressing them by opening risks.
Question is: How can we address this in the best possible way to silence thos nasty security audits?
If you have no EMC storage - delete this folder and the problem is gone.
Here from the description to the EMC command line utilities inside the build folder in CMK github
# NOTE: The EMC Navisphere command line tools come with their own dynamic
# libraries, which are quite old and some of them even collide with newer ones
# supplied by the distro, e.g. the OpenSSL libraries. We must take great care
# and should NEVER EVER put these ancient libraries into the search path of the
# dynamic linker, the only exception being when calling naviseccli itself. As a
# consequence, we install the libraries to a subdirectory which is not searched
# and call the command via a wrapper which sets LD_LIBRARY_PATH.
This lib path is not included in the normal search path. That means the used security scanner is not so good or broken.
Hi Andreas,
wouldn’t the folder come back on an update?
I suppose the security scanner is just browsing the files of the appliance and comparing them to it’s internal list. We may run into the same problem in the future. My security department wuld then ask me: “Please outline how you want to make sure that you do not use those potentially vulnerable libraries?”
If my answer was something along “I would try to make sure that the discovery mechanism will not find older EMC storages.” i would probably get in trouble 
So - is there some way to administratively disable potentially vulnerable default plugins should the need arise? If there was, we could just disable the “nagging” problem in cases where our security departments won’t stop nagging at our feet.
I think there is no easy way to do this.
If your security department has a problem with this files. You can only make a small script what deletes these files after every new version is installed
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.