OpenSSL错误版本数据库旁路攻击法漏洞

1740

漏洞信息详情

OpenSSL错误版本数据库旁路攻击法漏洞

漏洞简介

OpenSSL 0.9.6i及其更早版本以及0.9.7和0.9.7a版本的SSL和TLS组件存在漏洞。远程攻击者可以借助改进的Bleichenbacher攻击执行未认证RSA私钥操作,该攻击使用了大量PKCS #1 v1.5填充的SSL或TLS连接,可能导致OpenSSL泄露密文和相关纯文本之间的消息,也称为“Klima-Pokorny-Rosa attack”。

漏洞公告

It is reported that certain versions of Computer Associates eTrust Security Command Center are prone to this vulnerability. Customers are advised to contact the vendor for further information pertaining to obtaining and applying appropriate updates.
SGI have released an advisory (20030501-01-I) which contains a fix to address this issue.
SGI have released an advisory (20030501-01-I), which contains fix information to address this issue.
Hewlett-Packard have released an advisory (HPSBUX0304-0255 rev. 2) which contains fix information to address this issue.
Sorcerer Linux has released an advisory. Affected users are advised to issue the following commands to update the system:
augur synch && augur update
Gentoo has released openssl-0.9.6i-r2 which addresses this issue. Users are advised to upgrade by performing the following commands:
emerge sync
emerge openssl
emerge clean
NetBSD has made a source tree fix available, and has addressed this issue in NetBSD advisory 2003-007. See referenced advisory for additional details.
Trustix has released advisory 2003-0013 to address this issue.
Red Hat has released an advisory (RHSA-2003:101-01). Information about obtaining and applying fixes are available in the referenced advisory.
This issue is addressed in MacOS X 10.2.5. This update can be applied via the Software Update pane in System Preferences. Releases prior to 10.2.5 shipped with a vulnerable version of OpenSSL.
Debian has released a security advisory (DSA 288-1) containing fixes which address this and other issues. Further information regarding how to obtain and apply fixes can be found in the attached advisory.
F5 has released a patch which address this issue in their vulnerable products. A patch and further information can be obtained from the following location:
http://tech.f5.com/home/bigip/solutions/security/sol2379.html
GNU Transport Security Layer Library 0.8.5 has been made available which addresses this issue.
Ingrian Networks has reported that some products may be affected by this vulnerability. Users are advised to contact their vendor representitives or visit the
http://www.ingrian.com/support/ webpage.
Mirapoint has reported that various products may be affected by this vulnerability. A patch (D3_SSL) is available which addresses this issue and can be obtained by visiting the
http://support.mirapoint.com/ webpage.
HP has released SSL updates for OpenVMS systems. Please see the attached HP OpenVMS advisory (SSRT3499, SSRT3518) for details on obtaining and applying fixes. HP has also released an advisory for Tru64 UNIX systems that contains details about obtaining and applying patches. Please see advisory SSRT3499, SSRT3518 (Tru64) for further information.
SCO has released CSSA-2003-SCO.29 to address this and other issues in gwxlibs components for OpenServer. Please see CSSA-2003-SCO.29 for more details on obtaining and applying fixes.
Oracle has released an advisory and patches to address this issue. User are advised to obtain patches from the Oracle metalink site listed in references.
Fixes available:
Sun Cobalt RaQ 4

Sun Cobalt RaQ 550

Sun Cobalt RaQ XTR

Sun Cobalt Qube 3

GNU Transport Layer Security Library 0.8 .0

GNU Transport Layer Security Library 0.8.1

GNU Transport Layer Security Library 0.8.2

GNU Transport Layer Security Library 0.8.3

GNU Transport Layer Security Library 0.8.4

OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 c

参考网址

来源:US-CERT Vulnerability Note: VU#888801
名称: VU#888801
链接:http://www.kb.cert.org/vuls/id/888801

来源: BID
名称: 7148
链接:http://www.securityfocus.com/bid/7148

来源: BUGTRAQ
名称: 20030319 [OpenSSL Advisory] Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104811162730834&w=2

来源: XF
名称: ssl-premaster-information-leak(11586)
链接:http://xforce.iss.net/xforce/xfdb/11586

来源: REDHAT
名称: RHSA-2003:102
链接:http://www.redhat.com/support/errata/RHSA-2003-102.html

来源: REDHAT
名称: RHSA-2003:101
链接:http://www.redhat.com/support/errata/RHSA-2003-101.html

来源: www.openssl.org
链接:http://www.openssl.org/news/secadv_20030319.txt

来源: SUSE
名称: SuSE-SA:2003:024
链接:http://www.novell.com/linux/security/advisories/2003_024_openssl.html

来源: www.linuxsecurity.com
链接:http://www.linuxsecurity.com/advisories/immunix_advisory-3066.html

来源: DEBIAN
名称: DSA-288
链接:http://www.debian.org/security/2003/dsa-288

来源: lists.apple.com
链接:http://lists.apple.com/mhonarc/security-announce/msg00028.html

来源: eprint.iacr.org
链接:http://eprint.iacr.org/2003/052/

来源: SGI
名称: 20030501-01-I
链接:ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I

来源: NETBSD
名称: NetBSD-SA2003-007
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-007.txt.asc

来源: SUSE
名称: SuSE-SA:2003:024
链接:http://www.suse.de/de/security/2003_024_openssl.html

来源: BUGTRAQ
名称: 20030327 Immunix Secured OS 7+ openssl update
链接:http://www.securityfocus.com/archive/1/archive/1/316577/30/25310/threaded

来源: OPENPKG
名称: OpenPKG-SA-2003.026
链接:http://www.openpkg.org/security/OpenPKG-SA-2003.026-openssl.html

来源: MANDRAKE
名称: MDKSA-2003:035
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2003:035

来源: GENTOO
名称: GLSA-200303-20
链接:http://www.gentoo.org/security/en/glsa/glsa-200303-20.xml

来源: TRUSTIX
名称: 2003-0013
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104878215721135&w=2

来源: BUGTRAQ
名称: 20030324 GLSA: openssl (200303-20)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104852637112330&w=2

来源: CONECTIVA
名称: CLA-2003:625
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000625

来源: CALDERA
名称: CSSA-2003-014.0
链接:ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-014.0.txt

来源: US Government Resource: oval:org.mitre.oval:def:461
名称: oval:org.mitre.oval:def:461
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:461

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
信息安全
喜欢就支持一下吧
点赞0 分享
AI-robot的头像-一一网
asgbookphp ‘index.php’ 跨站脚本攻击漏洞-一一网
asgbookphp ‘index.php’ 跨站脚本攻击漏洞
asgbookphp ‘index.php’ 跨站脚本攻击漏洞
14年前 2.6W+
机器学习之随机森林回归篇(RandomForestRegressor)-一一网
机器学习之随机森林回归篇(RandomForestRegressor)
机器学习之随机森林回归篇(RandomForestRegressor)
4年前 4203
详解数仓中的数据分层:ODS、DWD、DWM、DWS、ADS-一一网
详解数仓中的数据分层:ODS、DWD、DWM、DWS、ADS
详解数仓中的数据分层:ODS、DWD、DWM、DWS、ADS
4年前 3895
DZCP Clanportal 'Index.PHP'任意文件上载漏洞-一一网
DZCP Clanportal 'Index.PHP'任意文件上载漏洞
DZCP Clanportal 'Index.PHP'任意文件上载漏洞
19年前 3842
Wireshark之抓包文件保存-一一网
Wireshark之抓包文件保存
Wireshark之抓包文件保存
4年前 3406
支付宝生活号H5接入支付宝支付流程-一一网
支付宝生活号H5接入支付宝支付流程
支付宝生活号H5接入支付宝支付流程
3年前 3135
相关推荐
asgbookphp ‘index.php’ 跨站脚本攻击漏洞-一一网
asgbookphp ‘index.php’ 跨站脚本攻击漏洞
asgbookphp ‘index.php’ 跨站脚本攻击漏洞
14年前 2.6W+
DZCP Clanportal 'Index.PHP'任意文件上载漏洞-一一网
DZCP Clanportal 'Index.PHP'任意文件上载漏洞
DZCP Clanportal 'Index.PHP'任意文件上载漏洞
19年前 3842
Symantec Critical System Protection 权限许可和访问控制问题漏洞-一一网
Symantec Critical System Protection 权限许可和访问控制问题漏洞
Symantec Critical System Protection 权限许可和访问控制问题漏洞
4年前 1084
deV!Lz Clanportal inc/filebrowser/browser.php 信息泄露漏洞-一一网
deV!Lz Clanportal inc/filebrowser/browser.php 信息泄露漏洞
deV!Lz Clanportal inc/filebrowser/browser.php 信息泄露漏洞
18年前 866
Microsoft ‘api.php’ 跨站脚本攻击漏洞-一一网
Microsoft ‘api.php’ 跨站脚本攻击漏洞
Microsoft ‘api.php’ 跨站脚本攻击漏洞
4年前 799
Vendor LPRM多个本地缓冲区溢出漏洞-一一网
Vendor LPRM多个本地缓冲区溢出漏洞
Vendor LPRM多个本地缓冲区溢出漏洞
20年前 700
搜索
开启精彩搜索
世界,您好!-一一网
3.7W+人已阅读
世界,您好!
TOP1
番茄社区无限观看+付费视频破解教程-一一网
番茄社区无限观看+付费视频破解教程
5年前3.2W+人已阅读
TOP2
香蕉视频v3.8.3_VIP会员破解教程-一一网
香蕉视频v3.8.3_VIP会员破解教程
5年前3.1W+人已阅读
TOP3
[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网
密码保护:[桜井宁宁]COS和泉纱雾超可爱写真福利集
5年前2.8W+人已阅读
TOP4
[桜井宁宁] 爆乳奶牛少女cos写真-一一网
密码保护:[桜井宁宁] 爆乳奶牛少女cos写真
5年前2.8W+人已阅读
TOP5
快猫v1.1.7会员破解版_最新快猫vip破解教程大全-一一网
快猫v1.1.7会员破解版_最新快猫vip破解教程大全
5年前2.7W+人已阅读
TOP6
标签云
默认路由黑裙黑群晖麦克风车机鸿蒙系统鸿蒙系统鸿蒙OS鸿蒙驱动软件驱动题库音频剪辑音乐剪辑面板面具静态雷石集群随机阿里云