openssl-1.1.1c-15.el8
エラータID: AXSA:2020-289:02
リリース日:
2020/09/07 Monday - 06:27
題名:
openssl-1.1.1c-15.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- OpenSSL の EC グループでは、名前付き曲線の代わりに明示的なパラメータを指定して構成する場合、
余因子を持たないグループを指定でき、そのような曲線を使う時、OpenSSLはサイドチャネル攻撃に
耐性が無いコードパスにフォールバックするため、攻撃者がサイドチャネル攻撃をすることが可能な
脆弱性があります。(CVE-2019-1547)
- OpenSSL には、デフォルトの設定の場合、1.1.1で再実装された
新しい乱数ジェネレータ(RNG)が使用されない問題があり、親プロセスと
子プロセスが同じ RNG の状態を共有してしまう可能性のある脆弱性が
あります。 (CVE-2019-1549)
- OpenSSLには、多数のメッセージを送付したあと、攻撃者が復号結果の通知を受け取れる
状況において、Bleichenbacher パディングオラクル攻撃を用いることにより、
CMS/PKCS7形式のメッセージの暗号鍵の取り出しやRSAで暗号化されたメッセージの
復号が可能な脆弱性があります。(CVE-2019-1563)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-1547
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVE-2019-1549
OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
CVE-2019-1563
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
追加情報:
N/A
ダウンロード:
SRPMS
- openssl-1.1.1c-15.el8.src.rpm
MD5: d0785fefe7eabbe132d0dd3e68dd5704
SHA-256: c07e456fcf2e4663df10863c5f9aafae0f21b7b84b306fbbbb0784116cbe9b21
Size: 6.36 MB
Asianux Server 8 for x86_64
- openssl-1.1.1c-15.el8.x86_64.rpm
MD5: 3ac41dff8b60c1c1403238129da3e0e3
SHA-256: aa05b2b6c2944801de04b53c25c7517593dcd8188fdec99081d902fde1d7a756
Size: 696.73 kB - openssl-devel-1.1.1c-15.el8.x86_64.rpm
MD5: 1142f91c03fc6b2fee87a9bc140a43d8
SHA-256: 5aef64a6d1de9ddbe25009ad0389612ba074732f046df9c82346dd922a6f0d82
Size: 2.29 MB - openssl-libs-1.1.1c-15.el8.x86_64.rpm
MD5: dd9d5715b28d97be376f75be0410c04c
SHA-256: 9301237c33365de7a2ffb78e18732ced2a7c8ce8b82a3e107895ae56556d3239
Size: 1.46 MB - openssl-perl-1.1.1c-15.el8.x86_64.rpm
MD5: 00ecbe3749b4515eb296e942e22aed4d
SHA-256: a7f58f6d90f724d997d428546a48cc495250208e46525e73737049bac82df17f
Size: 77.61 kB - openssl-devel-1.1.1c-15.el8.i686.rpm
MD5: a140038cbee8876fd22742b0d1fa3538
SHA-256: 763febc423f7e0365cb0db7052be341267468201e1e1c440c455d56058a4d0d9
Size: 2.29 MB - openssl-libs-1.1.1c-15.el8.i686.rpm
MD5: 10250c2aaf4e65716917677b2187e0c9
SHA-256: a52c21e283140aba58ef663488730684d5e3b88442569231a187feca7109133d
Size: 1.47 MB
English