[CentOS] Re: Security implications of openssl098e on CentOS 7

[Yamaban]

On Wed, 21 Oct 2015 20:58, Nick Bright <nick.bright at ...> wrote:

> On 10/21/2015 1:55 PM, Andrew Holway wrote:
>> Personally I would go round to that particular vendors office with a pipe
>> wrench and encourage them to do better however, unless this software is
>> transmitting credit card information then it seems that you could be
>> safe(ish) from the regulation standpoint. It really depends on the location
>> of the machine. Is it deep in the bowels of your high security nuclear
>> bunker on an air gap network or is is merrily accepting incoming traffic
>> from China? Is the software is using an appropriate SELinux policy or is it
>> running unconfined or with SELinux turned off?
>> 
>> It seems the PCI-DSS describe a set of simple rules to get IT managers
>> thinking but they are somewhat open to interpretation. Are you abiding to
>> the spirit of the regulations?
> The particular software requiring 0.9.8 is performing backups of the system to 
> a remote data center.
>
> My concern is that, with the compatibility package installed, could this 
> present vulnerabilities or compliance problems in Apache?

TL;DR: Preload openssl from non-standard location for closed-source app only.

Hmm, how about taking the content of the openssl098e package, put
it into a directory relative to the closed source software (e.g. /opt),
and create a wrapper script, similar to the following example:

[code]
#!/usr/bin/bash
# This is a wrapper for app to use openssl 0.9.8 (unsafe)
# app is in /opt/app/
# app starter is /opt/app/bin/starter
# ssl098e libs are in /opt/openssl098/

export LD_LIBRARY_PATH=/opt/openssl098/
exec /opt/app/bin/starter ${1+"$@"}
# ${1+"$@"} expands only if at least $1 is present
[/code]

  YMMV

  - Yamaban.