openssl-1.0.2k-12.el7
エラータID: AXSA:2018-2937:01
以下項目について対処しました。
[Security Fix]
- OpenSSL の x86_64 のモンゴメリべき乗プロシージャにはキャリー伝搬の
問題が存在します。EC アルゴリズムは影響を受けません。
分析では RSA と DSA に対する攻撃はとても困難でありえないと思われます。
秘密鍵についての情報を推測するにはオフラインで行われるため,DH に対す
る攻撃は可能ですが,大変困難だと考えられます。
この脆弱性は Intel Broadwell (第5世代) 以降,AMD Ryzen のような BMI1,
BMI2,ADX 拡張をサポートするプロセッサのみ影響を受けます。
(CVE-2017-3736)
- OpenSSL は 「エラーステート」メカニズムを導入し,その意図は,もし重大な
エラーがハンドシェーク中に起こり,OpenSSL がエラーステートに移行し,ハンド
シェークを続行しようとするとただちに失敗にするということにあります。
この仕組は,ハンドシェーク関数の場合には正しく動作していますが,バグのため
SSL_read() あるいは SSL_write() が直接呼ばれると正しく動作しない問題があり
ます。そのシナリオでは,ハンドシェークが失敗すると致命的エラーが最初の関数の
呼び出しで返されます。その後,致命的エラーを無視するバグのあるアプリケーショ
ンが SSL_read()/SSL_write() を同じ SSLオブジェクトで呼ぶと成功してしまい,
データが復号化/暗号化されずに直接 SSL/TLS レコードレイヤからデータが渡される
脆弱性があります。(CVE-2017-3737)
- OpenSSL の AVX2 モンゴメリ乗算プロシージャにはオーバーフローのバグが
存在します。EC アルゴリズムは影響を受けません。分析では RSA と DSA に対
する攻撃はとても困難でありえないと思われます。秘密鍵についての情報を推測
するにはオフラインで行われるため,DH1024 に対する攻撃は可能ですが,大変
困難だと考えられます。この脆弱性は Intel Haswell (第4世代) のような ADX
拡張はサポートしないが AVX2 拡張をサポートするプロセッサのみ影響を受けま
す。(CVE-2017-3738)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
パッケージをアップデートしてください。
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.
N/A
SRPMS
- openssl-1.0.2k-12.el7.src.rpm
MD5: 037620b80511c636549319ee96f937f7
SHA-256: 430a394d215c20f1fe7763480f9d0d19c6d4b4428d7768968bc7827acdd4201c
Size: 3.54 MB
Asianux Server 7 for x86_64
- openssl-1.0.2k-12.el7.x86_64.rpm
MD5: 76fd45b75051491f982560161c3accbe
SHA-256: 7b9d6230eca495f133ac2b5c6cd960a924e749aaf62d02159401646e70fe8499
Size: 491.04 kB - openssl-devel-1.0.2k-12.el7.x86_64.rpm
MD5: fe35dede8b242d50f78a9a743e3092e6
SHA-256: e6a0701844612c71332cce68bd566d06adfa2a5f47028cbdbccbd42ba7661c6b
Size: 1.50 MB - openssl-libs-1.0.2k-12.el7.x86_64.rpm
MD5: 2591bfdd76d95e2c4f229f140f59718d
SHA-256: 074809247f10e90085027458680bbab1ca46619106d9247305f65da9af49b44a
Size: 1.19 MB - openssl-devel-1.0.2k-12.el7.i686.rpm
MD5: 9924b70eb9d2e8387b5c4dac3a949818
SHA-256: 233775b78fa4fbdb31c6d2f4cb62ffcadce1763228c553060963c4b95a2497c3
Size: 1.50 MB - openssl-libs-1.0.2k-12.el7.i686.rpm
MD5: cc7a8b75471fdbcb4a973ed7b3bf1c97
SHA-256: a5016cfdeee6b63c283410670cbef74aba4995a35dbe54da534d673485193ad4
Size: 0.97 MB