OTOBO and Spooky SSL

Many software projects are affected by the 2022 OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786, also known as Spooky SSL. We’re taking this opportunity to describe the current state in OTOBO.

Docker Environments

In the current standard configuration, OTOBO uses MariaDB version 10.5 as its database. The standard database can be changed via the OTOBO_IMAGE_DB setting in docker_compose.

The MariaDB 10.5 image is based on Ubuntu Focal, which is the 20.04 LTS version that will receive regular security updates until April 2025.

Ubuntu Focal uses OpenSSL version 1.1.1, which is not vulnerable according to Canonical / Ubuntu / focal (20.04 LTS).
The Image Vulnerability Database notes that vulnerability arises from dependencies:

“Based on information currently available, the following products – through their usage or dependency to OpenSSL 3.x – will be vulnerable:

Debian 12 (bookworm) and unstable
Ubuntu 22.04 and 22.10
RedHat Enterprise Linux 9
Alpine 3.15, 3.16 and edge
Node.js 18 and 19”

Therefore, the MariaDB version we currently use as standard is not vulnerable to the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786.

We still recommend that all users check if they are running the current version of the image.

OTOBO without Docker

If you’re using OTOBO without Docker, it’s essential to install a current distribution that receives regular security updates.
Make sure to install these automatically or at least regularly.
The major distributions have quickly fixed the OpenSSL vulnerability and provided corresponding updates.
To check if your installed MariaDB version uses a vulnerable version of the library, you can use the ‘ldd’ command:

$ ldd /usr/bin/mariadb | grep ssl
In the output, you’ll see that version 1.1 of the libssl library is used, which is not affected by this vulnerability:
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fb8b53d00)
On Debian and Ubuntu, you can use the ‘dpkg’ command to display the currently installed version of the package:

$ dpkg -s libssl1.1 | grep Version
The output also indicates a non-vulnerable version:
Version: 1.1.1f-1ubuntu2.13

In general, we recommend migrating to the Docker variant in the medium term, as it promises more operational security among other benefits. We’ll be happy to support you in this process.

If you have any questions, feel free to contact our support.