OpenSSL SSL TLS和DTLS明文恢复攻击漏洞

admin

0
文章

0
评论

2023-12-07 23:20:10 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

低危 OpenSSL SSL TLS和DTLS明文恢复攻击漏洞

CVE编号

CVE-2013-0169

利用情况

暂无

补丁情况

官方补丁

披露时间

2013-02-09

漏洞描述

OpenSSL是一款开放源码的SSL实现，用来实现网络通信的高强度加密。OpenSSL在处理SSL, TLS和DTLS中的CBC加密套件(ciphersuite)时存在一个缺陷，允许攻击者利用漏洞在MAC处理过程中利用时序差别进行攻击，获取敏感信息。具体攻击可参看http://www.isg.rhul.ac.uk/tls/。

解决建议

OpenSSL 1.0.1d, 1.0.0k 或0.9.8y已经修复此漏洞，建议用户下载使用：http://www.opera.com

参考链接
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-...
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://openwall.com/lists/oss-security/2013/02/05/24
http://rhn.redhat.com/errata/RHSA-2013-0587.html
http://rhn.redhat.com/errata/RHSA-2013-0782.html
http://rhn.redhat.com/errata/RHSA-2013-0783.html
http://rhn.redhat.com/errata/RHSA-2013-0833.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/53623
http://secunia.com/advisories/55108
http://secunia.com/advisories/55139
http://secunia.com/advisories/55322
http://secunia.com/advisories/55350
http://secunia.com/advisories/55351
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://support.apple.com/kb/HT5880
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
http://www.debian.org/security/2013/dsa-2621
http://www.debian.org/security/2013/dsa-2622
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
http://www.matrixssl.org/news.html
http://www.openssl.org/news/secadv_20130204.txt
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
http://www.securityfocus.com/bid/57778
http://www.securitytracker.com/id/1029190
http://www.splunk.com/view/SP-CAAAHXG
http://www.ubuntu.com/usn/USN-1735-1
http://www.us-cert.gov/cas/techalerts/TA13-051A.html
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
https://puppet.com/security/cve/cve-2013-0169
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-...
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	openssl	openssl	*	From (including) 0.9.8	Up to (including) 0.9.8x
	运行在以下环境
	应用	openssl	openssl	*	From (including) 1.0.0	Up to (including) 1.0.0j
	运行在以下环境
	应用	openssl	openssl	*	From (including) 1.0.1	Up to (including) 1.0.1d
	运行在以下环境
	应用	oracle	openjdk	-	-
	运行在以下环境
	应用	oracle	openjdk	1.6.0	-
	运行在以下环境
	应用	oracle	openjdk	1.7.0	-
	运行在以下环境
	应用	oracle	openjdk	1.8.0	-
	运行在以下环境
	应用	polarssl	polarssl	0.10.0	-
	运行在以下环境
	应用	polarssl	polarssl	0.10.1	-
	运行在以下环境
	应用	polarssl	polarssl	0.11.0	-
	运行在以下环境
	应用	polarssl	polarssl	0.11.1	-
	运行在以下环境
	应用	polarssl	polarssl	0.12.0	-
	运行在以下环境
	应用	polarssl	polarssl	0.12.1	-
	运行在以下环境
	应用	polarssl	polarssl	0.13.1	-
	运行在以下环境
	应用	polarssl	polarssl	0.14.0	-
	运行在以下环境
	应用	polarssl	polarssl	0.14.2	-
	运行在以下环境
	应用	polarssl	polarssl	0.14.3	-
	运行在以下环境
	应用	polarssl	polarssl	0.99	-
	运行在以下环境
	应用	polarssl	polarssl	1.0.0	-
	运行在以下环境
	应用	polarssl	polarssl	1.1.0	-
	运行在以下环境
	应用	polarssl	polarssl	1.1.1	-
	运行在以下环境
	应用	polarssl	polarssl	1.1.2	-
	运行在以下环境
	应用	polarssl	polarssl	1.1.3	-
	运行在以下环境
	应用	polarssl	polarssl	1.1.4	-
	运行在以下环境
	系统	redhat_5	java-1.6.0-openjdk	*		Up to (excluding) 1:1.6.0.0-1.35.1.11.8.el5_9
	运行在以下环境
	系统	redhat_6	java-1.7.0-openjdk	*		Up to (excluding) 1:1.7.0.9-2.3.7.1.el6_3
	运行在以下环境
	系统	suse_12	java-1_7_0-openjdk	*		Up to (excluding) 1.7.0.91-21
	运行在以下环境
	系统	ubuntu_12.04.5_lts	openjdk-6	*		Up to (excluding) 6b27-1.12.3-0ubuntu1~12.04
	运行在以下环境
	系统	ubuntu_14.04.6_lts	openjdk-6	*		Up to (excluding) 6b27-1.12.3-1ubuntu1