[BUG] -Azure Service Fabric OpenSSL version 3.1.0.0 vulnerability

[keithwlt]

Describe the bug
Azure Service Fabric appears to be using OpenSSL version 3.1.0.0 which has a vulnerability as detailed in CVE-2023-2650.

Area/Component:
Azure Service Fabric OpenSSL version 3.1.0.0

To Reproduce
Steps to reproduce the behavior:

1. Create a new Service Fabric cluster from the Azure portal. Use WindowsServer 2019-Datacenter for the Operation System. Service Fabric version used was 10.1.1541.9590
2. After the cluster is deployed, login to one of the deployed virtual machines
3. Check the version information on these files, they both show Version: 3.1.0.0.

• c:\program files\microsoft service fabric\bin\fabric\fabric.code\libcrypto-3-x64.dll
• c:\program files\microsoft service fabric\bin\fabric\fabric.code\libssl-3-x64.dll

Expected behavior
Update needed to OpenSSL version used by Azure Service Fabric

Observed behavior:
Check the version information on these files, they both show Version: 3.1.0.0.

• c:\program files\microsoft service fabric\bin\fabric\fabric.code\libcrypto-3-x64.dll
• c:\program files\microsoft service fabric\bin\fabric\fabric.code\libssl-3-x64.dll

Screenshots

Service Fabric Runtime Version:
10.1.1541.9590
10.0.1949.9590

Environment:

• Azure
• OS: Windows Server 2019
• Version 10.1.1541.9590

If this is a regression, which version did it regress from?

Additional context
I reported this through MSRC and they just closed the case.

---

Assignees: /cc @microsoft/service-fabric-triage

[williamoconnorme]

The same library versions are present in latest 10.1.2175.9590 runtime release