Project

General

Profile

Actions
Copy link

Bug #23054

closed

Oracle Linux 8 agent segfaults on FIPS system

Bug #23054: Oracle Linux 8 agent segfaults on FIPS system

Added by Nicolas CHARLES over 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
N/A
Assignee:
-
Category:
Agent
Target version:
7.3.15
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

On Oracle Linux 8 on a FIPS system (STIG installation or something like that), the rudder agent fails with segfault during policy update
The same rules on an Oracle Linux 9 does not break the rudder agent

Update:

- the problem is that FIPS forbids MD5 and that CFEngine uses MD5 to create the node identifier (by key pinning)
- in Oracle 8 we use the system openssl while in Oracle 9 we embed one, so that's why there's a difference in observed behavior

- the workaround would be to also embed openssl in Oracle 8
- the correction is to make CFEngine able to use both MD5 (for compat and migration) and SHA2.

Updated by Nicolas CHARLES over 2 years ago Actions
Copy link
 #1

  • Description updated (diff)

Updated by Vincent MEMBRÉ over 2 years ago Actions
Copy link
 #2

  • Target version changed from 7.3.4 to 7.3.5

Updated by François ARMAND over 2 years ago Actions
Copy link
 #3

  • Description updated (diff)

Updated by Alexis Mousset over 2 years ago Actions
Copy link
 #4

  • Target version changed from 7.3.5 to 7.3.6

Updated by Vincent MEMBRÉ over 2 years ago Actions
Copy link
 #5

  • Target version changed from 7.3.6 to 7.3.7

Updated by Vincent MEMBRÉ about 2 years ago Actions
Copy link
 #6

  • Target version changed from 7.3.7 to 7.3.8

Updated by Vincent MEMBRÉ about 2 years ago Actions
Copy link
 #7

  • Target version changed from 7.3.8 to 7.3.9

Updated by Vincent MEMBRÉ about 2 years ago Actions
Copy link
 #8

  • Target version changed from 7.3.9 to 7.3.10

Updated by Vincent MEMBRÉ about 2 years ago Actions
Copy link
 #9

  • Target version changed from 7.3.10 to 7.3.11

Updated by Vincent MEMBRÉ almost 2 years ago Actions
Copy link
 #10

  • Target version changed from 7.3.11 to 7.3.12

Updated by Vincent MEMBRÉ almost 2 years ago Actions
Copy link
 #11

  • Target version changed from 7.3.12 to 7.3.13

Updated by Vincent MEMBRÉ almost 2 years ago Actions
Copy link
 #12

  • Target version changed from 7.3.13 to 7.3.14

Updated by Vincent MEMBRÉ over 1 year ago Actions
Copy link
 #13

  • Target version changed from 7.3.14 to 7.3.15

Updated by Alexis Mousset over 1 year ago Actions
Copy link
 #14

  • Status changed from New to Resolved

We have developped a workaround with OMNI packages, closing.

Actions
Copy link

Also available in: PDF Atom