Updating NPM’s Openresty with latest OpenSSL

While it will take “one or two days” more to bring OpenSSL 1.1.1n that fixes CVE-2022-0778 to Openresty, this application and many dependent Docker images remain vulnerable to this certificate parsing vulnerability that can leading to a DoS.

Why is it so slow to simply change one letter in a config file and rebuild everything? I don’t know.

This becomes a problem if you are using for instance Nginx Proxy Manager, which relies on Openresty. In particular, NPM’s Docker image is based on Debian, and Debian’s version of Openresty for Docker relies on Openresty-Openssl, which has already missed the last OpenSSL update 1.1.1m from 14 Dec 2021…

CVE-2022-0778 is particularly concerning for web servers like nginx if you have enabled client certificates, since it would allow anyone to send a certificate for parsing by your server and potentially trigger the vulnerability. So you need to fix it ASAP.

Your best bet is to just compile Openresty yourself within your Docker container for now. Here’s how.

Compiling Openresty within NPM’s container

We are here going to fetch the required dependencies and compile Openresty’s stable version 1.19.9.1 with Openssl 1.1.1n.

First, launch a bash shell in the Docker container:

$ sudo docker exec -it nginxproxymanager-app-1 bash

Then fetch the required packages:

# cd /tmp
# apt update
# apt install -y wget libpcre3 libpcre3-dev
# wget https://www.openssl.org/source/openssl-1.1.1n.tar.gz
# wget https://www.zlib.net/zlib-1.2.11.tar.gz
# wget https://openresty.org/download/openresty-1.19.9.1.tar.gz
# tar zxvf openssl-1.1.1n.tar.gz
# tar zxvf zlib-1.2.11.tar.gz
# tar zxvf openresty-1.19.9.1.tar.gz

Compile OpenSSL, ZLib, and Openresty:

# cd ./openssl-1.1.1n
# ./config
# make
# make install
# cp /usr/local/lib/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
# cd ..

# cd ./zlib-1.2.11
# ./configure
# make
# make install
# cd ..

# cd openresty-1.19.9.1
# ./configure –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module
# make
# make install
# nginx -V
nginx version: openresty/1.19.9.1
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1n 15 Mar 2022
TLS SNI support enabled
[…]

Finally, restart your Docker container.

Update: even with Openresty-openssl being updated on the repo, the Docker image is still not updated…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: