openssl-1.1.1k-5.el8
エラータID: AXSA:2021-2837:06
リリース日:
2021/12/22 Wednesday - 04:56
題名:
openssl-1.1.1k-5.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- OpenSSL の ASN.1 構造体を出力する関数には、ASN.1 構造体の
データフィールドが NUL で終端されていない ASN1_STRING で
構成されていた場合、読み込みでバッファーオーバーランが発生する
問題があり、悪意のある攻撃者が NUL 終端していない ASN1_STRING を
直接構築した ASN.1 構造体を、影響を受ける OpenSSL 関数を通じて
処理させることにより、サービス拒否に繋がるクラッシュを発生させたり、
公開鍵や機密性の高い平文等のプライベートなメモリデータを公開する
脆弱性があります。(CVE-2021-3712)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-3712
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).
追加情報:
N/A
ダウンロード:
SRPMS
- openssl-1.1.1k-5.el8.src.rpm
MD5: e8031c9648be6012a17eeb435f0bd0b7
SHA-256: eda9f0f8314d00890e7e60be3cfdb6f5b7dc1b8d926b2711eb37fe6fcaacb9cb
Size: 7.29 MB
Asianux Server 8 for x86_64
- openssl-1.1.1k-5.el8.x86_64.rpm
MD5: fe4e1da8dc70ce16f880a8138e6a50dc
SHA-256: 4fac87d2fd457f3204390cc9f2a9783f5cf0288a776ee210b06dc943a8f469d4
Size: 707.66 kB - openssl-devel-1.1.1k-5.el8.x86_64.rpm
MD5: a1e79c3dade9b853412dbf81b8858a0c
SHA-256: 0bfa43410433fc5a3b0ac067b1f3e2b388b3e69c5c8af9fbe3a3d18e6e2c965e
Size: 2.33 MB - openssl-libs-1.1.1k-5.el8.x86_64.rpm
MD5: 41065ac679945836600047f660055f67
SHA-256: 6bf56737a0af5cca639c67d9c2694c4ea8f2f0d28cddb2df72416ea7b06eb179
Size: 1.47 MB - openssl-perl-1.1.1k-5.el8.x86_64.rpm
MD5: c252a5b659e422f865348475ca85fa29
SHA-256: 5f3ef8ae078793da8d817154fc628a7e90db5ca1fd502ec2108ee8ef4d708baa
Size: 80.50 kB - openssl-devel-1.1.1k-5.el8.i686.rpm
MD5: a9ae589533164903bb9501be8c82513d
SHA-256: 29b65a5dc1ffcb9aed2a0bdaa0fd5d16b95c9c6261410e482a3d0e440e9ce230
Size: 2.33 MB - openssl-libs-1.1.1k-5.el8.i686.rpm
MD5: f6533c890926ba816ce94f620f1c9832
SHA-256: 40c8554316c995fb6a0813f38aebe1f217b8c9da1f575382918004246785395b
Size: 1.48 MB