AD3042: DoNotStaticallyLinkOpenSSLELF¶
Summary¶
| Property | Value |
|---|---|
| ID | AD3042 |
| Name | DoNotStaticallyLinkOpenSSLELF |
| Category | Security |
| Severity | Warning |
| Applies to | ELF (Linux/Unix) |
Description¶
ELF binaries should not statically link OpenSSL. Static linking makes it difficult to update OpenSSL when security vulnerabilities are discovered.
How It Works¶
The rule detects statically linked OpenSSL by:
- Scanning for OpenSSL version strings
- Checking for OpenSSL symbols without dynamic references
- Detecting libcrypto/libssl code patterns
Why This Matters¶
OpenSSL vulnerabilities are frequently discovered and require prompt patching. Static linking prevents quick updates.
OpenSSL Vulnerability History¶
| Year | Notable CVEs |
|---|---|
| 2014 | Heartbleed (CVE-2014-0160) |
| 2015 | FREAK, Logjam |
| 2016 | DROWN, Sweet32 |
| 2022 | CVE-2022-0778, CVE-2022-3602 |
Update Scenarios¶
Vulnerability Disclosed:
Static linking path:
Identify affected binaries
→ Rebuild each one
→ Test each one
→ Deploy each one
→ Days to weeks
Dynamic linking path:
Update system OpenSSL package
→ Restart services
→ Hours
Detection Method¶
Static OpenSSL indicators:
- No libssl.so/libcrypto.so in DT_NEEDED
- OpenSSL version string embedded
- SSL_* symbols not in dynamic section
Container Considerations¶
| Deployment | Update Method |
|---|---|
| VM/Bare metal | System package update |
| Container | Rebuild container image |
| Static binary | Rebuild application |
Exceptions¶
| Scenario | Consideration |
|---|---|
| FIPS certification | May require specific version |
| Minimal containers | Consider BoringSSL/LibreSSL |
| Reproducible builds | Pin version, monitor CVEs |
Resolution¶
Use dynamic linking:
# Dynamic linking (default)
gcc -o program program.c -lssl -lcrypto
# Verify dynamic linking
ldd program | grep -E 'libssl|libcrypto'