Kev kho qhov tso tawm ntawm OpenSSL cryptographic tsev qiv ntawv 3.0.7 tau luam tawm, uas kho ob qhov tsis zoo. Ob qhov teeb meem yog tshwm sim los ntawm tsis muaj overflows nyob rau hauv email teb validation code nyob rau hauv X.509 daim ntawv pov thawj thiab muaj peev xwm ua tau rau kev ua txhaum cai thaum ua daim ntawv pov thawj tshwj xeeb framed. Thaum lub sijhawm tshaj tawm ntawm qhov kho, OpenSSL cov neeg tsim khoom tsis tau sau tseg ib qho pov thawj ntawm qhov muaj kev siv dag zog ua haujlwm uas tuaj yeem ua rau kev ua tiav ntawm tus neeg tawm tsam cov cai.
Txawm hais tias qhov kev tshaj tawm ua ntej tshaj tawm ntawm qhov kev tso tawm tshiab tau hais txog qhov muaj qhov teeb meem tseem ceeb, qhov tseeb, hauv qhov kev hloov tshiab tso tawm cov xwm txheej ntawm qhov tsis zoo tau raug txo mus rau theem ntawm qhov txaus ntshai, tab sis tsis muaj qhov cuam tshuam tseem ceeb. Raws li cov kev cai tau txais kev pom zoo hauv qhov project, theem ntawm kev phom sij raug txo qis yog tias qhov teeb meem tshwm sim nws tus kheej hauv atypical configurations lossis yog tias muaj qhov tsawg tsawg ntawm kev siv ntawm qhov tsis zoo hauv kev xyaum.
Nyob rau hauv rooj plaub no, qhov kev mob hnyav tau txo qis vim qhov kev soj ntsuam ntxaws ntxaws ntawm qhov tsis zoo los ntawm ntau lub koom haum tau txiav txim siab tias muaj peev xwm ua tiav cov cai thaum siv tau raug thaiv los ntawm pawg tiv thaiv cov txheej txheem siv hauv ntau lub platform. Tsis tas li ntawd, daim phiaj xwm txheej siv nyob rau hauv qee qhov Linux faib ua rau 4 bytes uas tawm ntawm cov ciam teb raug superimposed nyob rau tom ntej tsis nyob rau hauv pawg, uas tseem tsis tau siv. Txawm li cas los xij, nws muaj peev xwm hais tias muaj cov platforms uas tuaj yeem siv los ua cov cai.
Cov teeb meem tau txheeb xyuas:
- CVE-2022-3602 - qhov muaj qhov tsis zoo, thaum pib nthuav tawm yog qhov tseem ceeb, ua rau 4-byte tsis dhau thaum kuaj xyuas thaj teb nrog qhov tshwj xeeb tsim email chaw nyob hauv daim ntawv pov thawj X.509. Hauv ib tus neeg siv TLS, qhov tsis muaj peev xwm tuaj yeem siv tau thaum txuas mus rau lub server tswj los ntawm tus neeg tawm tsam. Ntawm TLS tus neeg rau zaub mov, qhov tsis zoo tuaj yeem siv tau yog tias tus neeg siv khoom siv cov ntawv pov thawj siv. Hauv qhov no, qhov tsis zoo tshwm sim nyob rau theem tom qab kev txheeb xyuas cov saw ntawm kev ntseeg siab cuam tshuam nrog daim ntawv pov thawj, i.e. Qhov kev tawm tsam yuav tsum muaj daim ntawv pov thawj txoj cai tshawb xyuas daim ntawv pov thawj phem ntawm tus neeg tawm tsam.
- CVE-2022-3786 yog lwm tus vector rau kev siv CVE-2022-3602 qhov tsis zoo, txheeb xyuas thaum lub sijhawm tshuaj xyuas qhov teeb meem. Qhov sib txawv npau taws mus rau qhov muaj peev xwm dhau ntawm qhov tsis nyob ntawm pawg los ntawm tus lej ntawm cov bytes uas muaj cov "." (piv txwv li tus neeg tawm tsam tsis tuaj yeem tswj hwm cov ntsiab lus ntawm cov dej ntws thiab qhov teeb meem tsuas yog siv los ua rau daim ntawv thov sib tsoo).
Qhov tsis zoo tsuas yog tshwm sim hauv OpenSSL 3.0.x ceg (tus kab mob tau qhia hauv Unicode hloov dua siab tshiab code (punycode) ntxiv rau 3.0.x ceg). Tso tawm ntawm OpenSSL 1.1.1, nrog rau OpenSSL diav rawg cov tsev qiv ntawv LibreSSL thiab BoringSSL, tsis cuam tshuam los ntawm qhov teeb meem. Tib lub sijhawm, OpenSSL 1.1.1s hloov tshiab tau raug tso tawm, uas tsuas yog kho cov kab tsis ruaj ntseg xwb.
OpenSSL 3.0 ceg yog siv hauv kev faib khoom xws li Ubuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, ββDebian Testing/Unstable. Cov neeg siv ntawm cov tshuab no tau pom zoo kom nruab qhov hloov tshiab sai li sai tau (Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch). Hauv SUSE Linux Enterprise 15 SP4 thiab openSUSE Leap 15.4, pob khoom nrog OpenSSL 3.0 muaj nyob rau hauv kev xaiv, pob khoom siv 1.1.1 ceg. Debian 1, Arch Linux, Void Linux, Ubuntu 11, Slackware, ALT Linux, RHEL 20.04, OpenWrt, Alpine Linux 8 thiab FreeBSD tseem nyob ntawm OpenSSL 3.16.x ceg.
Tau qhov twg los: opennet.ru