神刀安全网

OpenSSL CVE-2016-2107/CVE-2016-2108漏洞修复

Severity: High

This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time.

In previous versions of OpenSSL, ASN.1 encoding the value zero represented as a negative integer can cause a buffer underflow with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does not normally create “negative zeroes” when parsing ASN.1 input, and therefore, an attacker cannot trigger this bug.

However, a second, independent bug revealed that the ASN.1 parser (specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag as a negative zero value. Large universal tags are not present in any common ASN.1 structures (such as X509) but are accepted as part of ANY structures.

Therefore, if an application deserializes untrusted ASN.1 structures containing an ANY field, and later reserializes them, an attacker may be able to trigger an out-of-bounds write. This has been shown to cause memory corruption that is potentially exploitable with some malloc implementations.

Applications that parse and re-encode X509 certificates are known to be vulnerable. Applications that verify RSA signatures on X509 certificates may also be vulnerable; however, only certificates with valid signatures trigger ASN.1 re-encoding and hence the bug. Specifically, since OpenSSL’s default TLS X509 chain verification code verifies the certificate chain from root to leaf, TLS handshakes could only be targeted with valid certificates issued by trusted Certification Authorities.

OpenSSL 1.0.2 users should upgrade to 1.0.2cOpenSSL 1.0.1 users should upgrade to 1.0.1o

修复方法就如同官网所说,升级版本就好

wgethttps://www.openssl.org/source/openssl-1.0.2h.tar.gz tarxfopenssl-1.0.2h.tar.gz cd openssl-1.0.2h/ ./config --prefix=/usrsharedzlib make -j $(awk '/processor/{i++}END{print i}' /proc/cpuinfo) && make install && cd opensslversion -a 

OpenSSL 1.0.2h   3 May 2016
built on : reproducible build , date unspecified
platform : linux x86_64
options :   bn ( 64 , 64 ) rc4 ( 16x , int ) des ( idx , cisc , 16 , int ) idea ( int ) blowfish ( idx )
compiler : gcc I . I . . I . . / include fPIC DOPENSSL_PIC DZLIB DOPENSSL_THREADS D_REENTRANT
DDSO_DLFCN DHAVE_DLFCN_H Wa , noexecstack m64 DL_ENDIAN O3 Wall DOPENSSL_IA32_SSE2
DOPENSSL_BN_ASM_MONT DOPENSSL_BN_ASM_MONT5 DOPENSSL_BN_ASM_GF2m DSHA1_ASM DSHA256_ASM
DSHA512_ASM DMD5_ASM DAES_ASM DVPAES_ASM DBSAES_ASM DWHIRLPOOL_ASM DGHASH_ASM DECP_NISTZ256_ASM
OPENSSLDIR : "/usr/ssl"

Nginx安装的时候openssl是编译进去的,那么这里Nginx也要再次编译,如果Nginx用的外部库调用就不要重新编译了,Nginx可以平滑升级
wget -c http://mirrors.dwhd.org/Nginx/nginx-1.10.0.tar.gz tarxfnginx-1.10.0.tar.gz cd nginx-1.10.0/ ./configure --prefix=/usr/local/nginx --user=www --group=www / --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-ipv6 --with-http_gzip_static_module / --with-http_realip_module --with-http_flv_module --with-pcre-jit --with-ld-opt='-ljemalloc' --with-http_mp4_module / --with-http_gunzip_module --with-http_image_filter_module --with-http_addition_module / --with-pcre=../pcre-8.38 --add-module=../ngx-fancyindex --add-module=../ngx_http_substitutions_filter_module --add-module=../ngx_http_google_filter_module #注意上这行调用了其他地方的东西。 make -j $(awk '/processor/{i++}END{print i}' /proc/cpuinfo) && make install && cd servicenginxreload nginx -V 

nginx version : nginx / 1 . 10.0
built by gcc 4.8.5 20150623 ( Red Hat 4.8.5 4 ) ( GCC )
built with OpenSSL 1.0.2h   3 May 2016
TLS SNI support enabled
configure arguments : prefix = / usr / local / nginx user = www group = www with http_stub_status_module
with http_v2_module with http_ssl_module with ipv6 with http_gzip_static_module
with http_realip_module with http_flv_module with pcre jit with ld opt = ljemalloc
with http_mp4_module with http_gunzip_module with http_image_filter_module with http_addition_module
with pcre = . . / pcre 8 . 38 add module = . . / ngx fancyindex add module = . . / ngx_http_substitutions_filter_module add module = . . / ngx_http_google_filter_module

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » OpenSSL CVE-2016-2107/CVE-2016-2108漏洞修复

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址