|
|
[ °ø Áö ] OpenSSL ´ÙÁß Ãë¾àÁ¡ º¸¾È¾÷µ¥ÀÌÆ® ±Ç°í |
|
2014-10-20 |
|
|
¾È³çÇϽʴϱî. È£½ºÆ®¸ÕÆ®ÀÔ´Ï´Ù.
¸ÕÀú È£½ºÆ®¸ÕÆ®¸¦ ¾Æ²¸ÁÖ½Ã°í »ç¶ûÇØ Áֽô °í°´ ¿©·¯ºÐ²² Áø½ÉÀ¸·Î °¨»çµå¸®¸ç
OpenSSL ´ÙÁß Ãë¾àÁ¡ º¸¾È¾÷µ¥ÀÌÆ® ±Ç°í°¡ ÀÖ¾î À̸¦ ¾Ë·Áµå¸®°íÀÚ ÇÕ´Ï´Ù.
---------------------------------------------------------------------------
°³¿ä
•OpenSSL¿¡¼ ¹ß»ýÇÑ ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡, Ǫµé(Poodle, Padding Oracle On Downloaded Legacy Encryption) Ãë¾àÁ¡ µî ÃÑ 4°³ÀÇ Ãë¾àÁ¡À» º¸¿ÏÇÑ º¸¾È¾÷µ¥ÀÌÆ®¸¦ ¹ßÇ¥ÇÔ[1]
¼³¸í
•DTLS SRTP Çڵ彦ÀÌÅ© ¸Þ½ÃÁö¸¦ ó¸®ÇÏ´Â Áß ¹ß»ýÇÏ´Â ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡ (CVE-2014-3513)
•SSL/TLS/DTLS ¼¹ö¿¡¼ session ticket °ªÀ» ¹ÞÀ» ¶§ ¹ß»ýÇÏ´Â ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡ (CVE-2014-3567)
•SSL3.0¿¡¼ ´Ù¿î ±×·¹À̵带 ÅëÇØ MITM(man-in-the-middle)°ø°ÝÀ» °¡´ÉÇÏ°Ô Çϴ Ǫµé(Poodle, Padding Oracle On Downloaded Legacy Encryption) Ãë¾àÁ¡ (CVE-2014-3566)
•OpenSSL build optionÀÎ no-ssl3¿¡¼ ¹ß»ýÇÑ Ãë¾àÁ¡ (CVE-2014-3568)
ÇØ´ç ½Ã½ºÅÛ
•¿µÇâ ¹Þ´Â Á¦Ç° ¹× ¹öÀü
◦OpenSSL 0.9.8 ´ë ¹öÀü
◦OpenSSL 1.0.0 ´ë ¹öÀü
◦OpenSSL 1.0.1 ´ë ¹öÀü
ÇØ°á ¹æ¾È
•ÇØ´ç Ãë¾àÁ¡¿¡ ¿µÇâ ¹Þ´Â ¹öÀüÀÇ »ç¿ëÀÚ´Â ¾Æ·¡ ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®[2]
◦OpenSSL 0.9.8 »ç¿ëÀÚ : 0.9.8zc·Î ¾÷µ¥ÀÌÆ®
◦OpenSSL 1.0.0 »ç¿ëÀÚ : 1.0.0o·Î ¾÷µ¥ÀÌÆ®
◦OpenSSL 1.0.1 »ç¿ëÀÚ : 1.0.1j·Î ¾÷µ¥ÀÌÆ®
¿ë¾î ¼³¸í
•DTLS(Datagram Transport Layer Security) : µ¥ÀÌÅÍ ±×·¥ Àü¼Û°èÃþÀ» º¸È£Çϱâ À§ÇÑ UDP ±â¹Ý TLS ÇÁ·ÎÅäÄÝ
•SRTP(Secure Real-time Transport Protocol) : ½Ç½Ã°£À¸·Î Àü¼ÛµÇ´Â ¸ÖƼ¹Ìµð¾î µ¥ÀÌÅ͸¦ ¾ÏÈ£ÈÇÏ¿© ¼Û¼ö½ÅÇÏ´Â ÇÁ·ÎÅäÄÝ
±âŸ ¹®ÀÇ»çÇ×
•Çѱ¹ÀÎÅͳÝÁøÈï¿ø ÀÎÅͳÝħÇØ´ëÀÀ¼¾ÅÍ: ±¹¹ø¾øÀÌ 118
[Âü°í»çÀÌÆ®]
[1] https://www.openssl.org/news/secadv_20141015.txt
[2] https://www.openssl.org/
°¨»çÇÕ´Ï´Ù.
---------------------------------------------------------------------------
Áñ°Å¿òÀÌ Àִ ȣ½ºÆà ¼ºñ½º [ È£½ºÆ®¸ÕÆ® ]
|
|
|