Revizija upozorenja vezanog uz paket OpenSSL

Izdana je revizija sigurnosnog upozorenja prvotno izdanog 21. ožujka 2012. godine. U orginalnoj preporuci opisani su nedostaci koje udaljeni napadači mogu iskoristiti za otkrivanje osjetljivih informacija i DoS napad.

Paket:	OpenSSL 0.x
Operacijski sustavi:	IBM AIX 5.x, IBM AIX 6.x, IBM AIX 7.x
Kritičnost:	9.3
Problem:	neodgovarajuće rukovanje datotekama, neodgovarajuće rukovanje memorijom, pogreška u programskoj komponenti
Iskorištavanje:	udaljeno
Posljedica:	otkrivanje osjetljivih informacija, uskraćivanje usluga (DoS)
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4619, CVE-2012-0050
Izvorni ID preporuke:	IBM SECURITY ADVISORY
Izvor:	IBM

Problem:
Uočene su greške u programskoj komponenti Server Gated Cryptography (SGC) i implementaciji protokola Datagram Transport Layer Security (DTLS), te prilikom oslobađanja memorije i inicijaliziranja određenih struktura podataka. Revizija je objavljena zbog nadopune podataka o ranjivostima.
Posljedica:
Navedene propuste napadač može iskoristiti za čitanje osjetljivih podataka i napad uskraćivanjem usluga (DoS napad).
Rješenje:
Korisnici se potiču na korištenje službenih programskih rješenja.

Izvorni tekst preporuke

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Wed Mar 21 13:02:49 CDT 2012
|Updated: Thu Mar 22 09:06:21 CDT 2012
|Added VIOS release reference 

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc

                           VULNERABILITY SUMMARY

VULNERABILITY:   Multiple OpenSSL vulnerabilities 

PLATFORMS:       AIX 5.3, 6.1, 7.1, and earlier releases
|                VIOS 2.X and 1.5.2

SOLUTION:        Apply the fix as described below.

THREAT:          See below

CVE Numbers:    CVE-2011-4108
                CVE-2011-4109
                CVE-2011-4576
                CVE-2011-4619
                CVE-2012-0050

                           DETAILED INFORMATION

I. DESCRIPTION (from cve.mitre.org)

    The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 
    1.0.0f performs a MAC check only if certain padding is valid, which 
    makes it easier for remote attackers to recover plaintext via a 
    padding oracle attack. 

    Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when 
    X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have 
    an unspecified impact by triggering failure of a policy check. 

    The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 
    1.0.0f does not properly initialize data structures for block cipher 
    padding, which might allow remote attackers to obtain sensitive 
    information by decrypting the padding data sent by an SSL peer. 

    The Server Gated Cryptography (SGC) implementation in OpenSSL before 
    0.9.8s and 1.x before 1.0.0f does not properly handle handshake 
    restarts, which allows remote attackers to cause a denial of service 
    via unspecified vectors. 

    OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, 
    which allows remote attackers to cause a denial of service via 
    unspecified vectors. NOTE: this vulnerability exists because of an 
    incorrect fix for CVE-2011-4108. 

    Please see the following for more information:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050

II. PLATFORM VULNERABILITY ASSESSMENT

    To determine if your system is vulnerable, execute the following
    command:

    lslpp -L openssl.base

    On VIO Server:

    oem_setup_env
    lslpp -L openssl.base

    The following fileset levels are vulnerable:

    AIX 7.1, 6.1, 5.3: all versions less than or equal 0.9.8.1800
    AIX 7.1, 6.1, 5.3: FIPS capable versions less than or equal 12.9.8.1180
    AIX 5.2: all versions less than or equal 0.9.8.808
|   VIOS 2.X, 1.5.2: all versions less than or equal 0.9.8.1800

    IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
    OpenSSH 5.0 or later, depending on the OpenSSL version according to
    following compatibility matrix:

    AIX              OpenSSL                    OpenSSH
    ------------------------------------------------------------------
    5.2              OpenSSL 0.9.8.80x          OpenSSH 5.0
    5.3,6.1,7.1      OpenSSL 0.9.8.18xx         OpenSSH 5.8.0.61xx
    5.3,6.1,7.1      OpenSSL-fips 12.9.8.18xx   OpenSSH 5.8.0.61xx

|   VIOS             OpenSSL                    OpenSSH
|   ------------------------------------------------------------------
|   2.X,1.5.2        OpenSSL 0.9.8.18x          OpenSSH 5.8.0.61xx

    AIX OpenSSH can be downloaded from:

    OpenSSH 5.0:
    http://sourceforge.net/projects/openssh-aix
    OpenSSH 5.8.0.61xx
    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

III. FIXES

    A fix is available, and it can be downloaded from:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

    To extract the fixes from the tar file:

    zcat openssl.0.9.8.1801.tar.Z | tar xvf -
    or
    zcat openssl-fips.12.9.8.1801.tar.Z | tar xvf -
    or
    zcat openssl.0.9.8.809.tar.Z | tar xvf -

    IMPORTANT: If possible, it is recommended that a mksysb backup
    of the system be created.  Verify it is both bootable and
    readable before proceeding.

    To preview the fix installation:

    installp -apYd . openssl

    To install the fix package:

    installp -aXYd . openssl

IV. WORKAROUNDS

    There are no workarounds.

V. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email,
    please visit:

        http://www.ibm.com/systems/support

    and click on the "My notifications" link.

    To view previously issued advisories, please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
 
    Comments regarding the content of this announcement can be
    directed to:

        Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

    To obtain the PGP public key that can be used to communicate
    securely with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

        B. Download the key from our web page:

  http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

        C. Download the key from a PGP Public Key Server. The key ID is:

	    0x28BFAA12

    Please contact your local IBM AIX support center for any
    assistance.

    eServer is a trademark of International Business Machines
    Corporation.  IBM, AIX and pSeries are registered trademarks of
    International Business Machines Corporation.  All other trademarks
    are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFPazos4fmd+Ci/qhIRAoSsAJ4urtr/MOo5tUt0ouhOzEVHRubH9QCfZKDD
uJFRkkmKR7KECYkDi/0+7zY=
=fh9u
-----END PGP SIGNATURE-----

Revizija upozorenja vezanog uz paket OpenSSL

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Revizija upozorenja vezanog uz paket OpenSSL

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti