[Feature Request] - ClamAV FIPS support in AL2023

[gooosetavo]

Is your feature request related to a problem? Please describe.

ClamAV is completely non-functional on FIPS-enabled Amazon Linux 2023 systems.

The error manifests as:

LibClamAV Error: Can't load /var/lib/clamav/daily.cvd: Can't allocate memory
ERROR: Can't allocate memory

The actual root cause is that FIPS mode disables MD5 hashing, which ClamAV relies on for database verification. When OpenSSL rejects MD5 operations in FIPS mode, ClamAV fails and incorrectly reports this as a memory allocation error.

Describe the solution you'd like

Rebuild clamav1.4 packages for Amazon Linux 2023 with FIPS compatibility, incorporating the upstream fixes from the ClamAV project, or publish clamav1.5 package:

1. Apply upstream FIPS compatibility patches:

   • Clam 2677 2678 FIPS compliant CVD codesigning Cisco-Talos/clamav#1417
   • FIPS-mode support Re: md5 -> sha2-256 caching, FP signatures, legacy CVD dsig verification, and related improvements Cisco-Talos/clamav#1532

2. Use OpenSSL 3.0+ property-based filtering to allow MD5 for non-security-critical operations (database integrity checks) while maintaining FIPS compliance for cryptographic operations:

   md = EVP_MD_fetch(NULL, alg, "-fips");  // Allow MD5 for non-FIPS uses

3. Test packages on FIPS-enabled AL2023 systems before release to ensure functionality

This would make ClamAV fully functional in FIPS mode while maintaining security compliance.

Describe alternatives you've considered

Alternative 1: Disable FIPS Mode in Containers

Status: ✗ Not acceptable for compliance requirements

• Setting OPENSSL_FIPS=0 would violate organizational security policies
• FIPS compliance is mandatory for government and regulated industries
• Cannot selectively disable FIPS for individual applications

Alternative 2: Compile ClamAV from Source

Status: ⚠️ High maintenance overhead

• Would require maintaining custom build pipeline
• Increases container build time and complexity
• Loses benefit of AWS-managed security updates
• Not sustainable for production deployments

Alternative 3: Switch to Ubuntu/Debian Base Images

Status: ⚠️ Major infrastructure change

• Requires rebuilding all container images
• May have FIPS-compatible ClamAV packages
• Loses Amazon Linux ecosystem benefits and AWS support
• Significant migration effort across infrastructure

None of these alternatives are satisfactory w/ having FIPS-compatible ClamAV packages in the AL2023 repositories.

Additional context

Current Package Status (AL2023 Release 2023.6.20250303)

From the Amazon Linux 2023 Release Notes:

ClamAV 1.4 Release

This release introduces ClamAV 1.4 as a new package alongside the existing ClamAV installation:

• Version: 1.4.2-1.amzn2023.0.1
• Architectures: aarch64, x86_64

Target Transition (Sept/Oct 2025):

• ClamAV 1.4 becomes default
• AWS recommends immediate migration to clamav1.4 to ensure continued security and support

Current installed version on our systems: ClamAV 1.4.3

Upstream Issue Status

Upstream ClamAV Project: Issue #564 - FIPS Compatibility

• Status: Closed (fixes merged)
• Fixed in: ClamAV 1.0.0+ (PRs #1417, #1532)
• Solution: OpenSSL 3.0+ property-based filtering for MD5 operations

The upstream project has resolved this issue, but Amazon Linux 2023 packages do not include these fixes or are not compiled with the correct OpenSSL configuration to enable FIPS-compatible MD5 usage.

Error Examples

freshclam output:

ClamAV update process started at Thu Dec 18 19:01:13 2025
daily database available for update (local version: 27847, remote version: 27854)
Downloading database patch # 27848...
Time:    0.2s, ETA:    0.0s [========================>]   22.22MiB/22.22MiB
ERROR: Verification: Can't allocate memory
ERROR: Update failed for database: daily
ERROR: Database update process failed: Invalid or corrupted CVD/CLD database

clamscan output:

LibClamAV Error: Can't load /var/lib/clamav/daily.cvd: Can't allocate memory
LibClamAV Error: cli_loaddbdir: error loading database /var/lib/clamav/daily.cvd
ERROR: Can't allocate memory

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 1.4.3
Scanned directories: 0
Scanned files: 0

System Resource Verification

To rule out actual resource constraints, we verified:

$ cat /proc/meminfo | grep -E "MemTotal|MemFree|MemAvailable"
MemTotal:       129796344 kB  # 123.8 GB
MemFree:        78310772 kB   # 74.6 GB
MemAvailable:   118803328 kB  # 113.3 GB

$ cat /sys/fs/cgroup/memory.max
17179869184  # 16 GB container limit

$ ulimit -a
virtual memory              (kbytes, -v) unlimited
max memory size             (kbytes, -m) unlimited

$ df -h /tmp
Filesystem      Size  Used Avail Use% Mounted on
/dev/md127      3.5T  102G  3.4T   3% /tmp

Resources are clearly sufficient. The "memory allocation" error is a red herring masking the FIPS/MD5 compatibility issue.

Technical Analysis

According to the upstream issue, ClamAV's MD5 usage includes:

1. Database verification: CVD/CLD file integrity checks (non-cryptographic, could use any hash)
2. Signature matching: Pattern identification (non-cryptographic)
3. Verdict caching: Performance optimization (non-cryptographic)

None of these uses require cryptographically-secure hashing. The upstream fix allows MD5 for these non-security-critical operations while maintaining FIPS compliance for actual cryptographic functions.

Impact on Amazon Linux Users

With AL2023's stated timeline to make ClamAV 1.4 the default in Sept/Oct 2025 and the recommendation for "immediate migration," this issue will affect all FIPS-enabled AL2023 users who follow AWS guidance to upgrade to clamav1.4.

Current workarounds (S3 fallback, disabling verification) only partially address the issue - scanning still fails, leaving systems without antivirus protection.

Deployment Environment

Our use case: Kubernetes-based antivirus scanning service for file uploads

• Platform: Amazon EKS with FIPS-enabled AL2023 worker nodes
• Container: peregrine-tools (AL2023-based)
• Workload: Asynchronous file scanning via SQS queue processing
• Compliance: FIPS 140-2 required for data processing

Request Priority Justification

High Priority - This issue:

1. Affects security-critical functionality (antivirus scanning)
2. Blocks FIPS-compliant deployments (mandatory for many industries)
3. Impacts AWS's recommended ClamAV 1.4 migration path
4. Has upstream fixes available, just needs package rebuild
5. Will affect more users as Sept/Oct 2025 default transition approaches

Suggested Package Build Changes

For the clamav1.4 package build on AL2023:

1. Ensure compilation against OpenSSL 3.0+ with FIPS module enabled
2. Apply upstream FIPS compatibility patches (if not already present)
3. Enable property-based MD5 filtering in the build configuration
4. Add FIPS-enabled system to package testing matrix
5. Update package description/documentation to note FIPS compatibility status

Additional Resources

• Upstream FIPS Issue: ClamAV is unusable on FIPS-enabled Linux systems due to MD5 use Cisco-Talos/clamav#564
• Memory Limits Issue: LibClamAV Error: cli_realloc(): Attempt to allocate 190844928 bytes. Cisco-Talos/clamav#522
• ClamAV Documentation: https://docs.clamav.net/manual/Installing/Docker.html

[alexey-tsvetnov]

Hi @gooosetavo ,

Thanks for such a comprehensive analysis! We're aware of the issue and actively working on the solution.

A brief answer is

• Adding FIPS to clamav1.4 is not supported (you can find discussions on that in the ClamAV project).
• ClamAV 1.5 package in AL2023 is coming and will be available pretty soon (without concrete dates, in the beginning of 2026)

Duplicates: #1013

[gooosetavo]

Thanks! I apologize for the 1.4 upgrade suggestions, I noticed that right after submitting the ticket.

For anyone that's impacted by this, we're currently downloading and installing the RPM from the clamav releases page in our container images' builds directly for now, and this is working on both arm/x86 al2023 images just fine.