URLlib3 supports OpenSSL 1.1.1d which has critical security issue

We are using package requests==2.32.2
which supports urllib3==2.2.1 version and it downloads openssl 1.1:1.1.1w-r1 version however we see critical vulnerability in this version and scanner shows us fixed version libssl 1.1.1d-r2 which is not referenced by ulrlib3=2.2.1.Please suggest how can we fix this issue and is there any way to explicitly download latest openssl for urllib3–2.2.1

I’d expect to see OpenSSL 3 being used on a modern OS and python.

Please provide details so that we can understand your issue.

What OS and version are you using?
What python version are you using?

Upgrade your Python version

I think this was installed by your OS, possibly when it installed an old version of Python, or by Python itself. Not the latest versions of urllib3 or requests.

On Linux distros, the vendored version of Python probably used the distro’s own openssl. The distro or vendor, e.g. the operating system package manager, will need to upgrade it.

On Windows and Mac, Python 3.11.5 or later should be plenty.

Notable changes in 3.11.5

OpenSSL

  • Windows builds and macOS installers from python.org now use OpenSSL 3.0.

We are running docker build on github workflow where linux X64 runners are used and using base image of python from artifactory
artifactory.sdlc.ctl.gcp.db.com/dkr-public-local/gcp-community-images/python:3.10
Runners ,Python version - Python 3.11.9

Security is important. For organisations like Deutsche Bank, it’s mission critical.

So I really think you should escalate this. Ask one of your colleagues for help, or even ask them to handle the upgrade entirely. Someone who at the very least knows which Linux distro is running on those docker containers.

If you still wish to proceed yourself, and are happy that if anything isn’t done properly, it’s on you, then we can still proceed. I’m not sure if your scanner is picking up a second install that’s lurking there, nor where your particular docker images are being pulled from (that link doesn’t work as an image tag for me). But firstly Docker Hub’s official Debian Bookworm Python 3.11.9 images already have OpenSSL v3:

root@docker-ce-ubuntu-4gb-hel1-3:~# docker run --rm -it python:3.11.9-bookworm bash
root@37d971e23033:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@37d971e23033:/# openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
root@37d971e23033:/#

Secondly, there are possibly other mitigations. You might be safe already. For example if the concern is actually the recent bugs in OpenSSH, then it’s pretty unusual in the first place, to allow direct ssh connections to a Docker container from the wild. I SSH to my host machine, and then connect into running containers with docker exec.

2 Likes