Tip: After the article is written, the table of contents can be automatically generated. For how to generate it, please refer to the help document on the right.
Article directory
Preface
The missed scan found that the openssl version used by nginx on the machine is a bit low. In addition, nginx was deployed earlier and was still version 1.20.2, so we upgraded it together.
1. Vulnerability content
SSL/TLS protocol information leakage vulnerability (CVE-2016-2183) [Principle Scan]
nginx buffer error vulnerability (CVE-2022-41741)
nginx out-of-bounds write vulnerability (CVE-2022-41742)
2. Current situation
openssl version: 1.0.2k
nginx version: 1.20.2
3. Install openssl11 on centos7
yum install -y epel-release
yum install -y openssl11 openssl11-devel
ln -sf /usr/lib64/pkgconfig/openssl11.pc /usr/lib64/pkgconfig/openssl.pc
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/bin/openssl11 /usr/bin/openssl
openssl version
4. Upgrade nginx to 1.24.0
1. Download nginx
mkdir -p /root/nginx/
cd /root/nginx/
wget -c https://nginx.org/download/nginx-1.24.0.tar.gz
tar -xvf nginx-1.24.0.tar.gz
cd /root/nginx/nginx-1.24.0/
2. Compile and install nginx
#使用命令:安装ssl模块
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
#编译
make
#备份已有nginx
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.1.20.2
#编译安装
make install
3. Configure nginx.service
/usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
[Install]
WantedBy=multi-user.target
4. Restart nginx
systemctl restart nginx.service
systemctl status nginx.service
Summarize
The openssl I use here is installed with yum, but you can also use the compilation and installation method.