°øÁö»çÇ×

Á¦¸ñ OpenSSL ´ÙÁß Ãë¾àÁ¡ º¸¾È¾÷µ¥ÀÌÆ® ±Ç°í
ÀÛ¼ºÀÏ 2015-10-28

°³¿ä

 

  • Ãë¾àÇÑ OpenSSL ¹öÀüÀ» »ç¿ëÇÏ´Â ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ® »çÀÌ¿¡¼­ °ø°ÝÀÚ°¡ ¾ÏȣȭµÈ µ¥ÀÌÅ͸¦ º¹È£È­ÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡, ¼­ºñ½º °ÅºÎ Ãë¾àÁ¡ µî 7°³ÀÇ Ãë¾àÁ¡À» º¸¿ÏÇÑ º¸¾È¾÷µ¥ÀÌÆ®¸¦ ¹ßÇ¥[1]

 

¼³¸í

 

  • TLS ÇÁ·ÎÅäÄÝ¿¡¼­ Diffie-Hellman Å° ±³È¯ ó¸® Áß 512ºñÆ®·Î ´Ù¿î±×·¹ÀÌµå ½ÃÅ°´Â Ãë¾àÁ¡(CVE-2015-4000)
  • ECParameters ±¸Á¶ ó¸® Áß ¹ß»ýÇÏ´Â ¼­ºñ½º °ÅºÎ Ãë¾àÁ¡ (CVE-2015-1788)
  • X509_cmp_time ÇÔ¼ö¿¡¼­ ¹ß»ýÇÏ´Â ¼­ºñ½º °ÅºÎ °ø°Ý Ãë¾àÁ¡ (CVE-2015-1789)
  • ASN.1 ÀÎÄÚµù µÈ PKCS#7 µ¥ÀÌÅÍ Ã³¸® Áß ¹ß»ýÇÏ´Â Out-of-bounds Àб⠰¡´É Ãë¾àÁ¡(CVE-2015-1790)
  • ¾Ë ¼ö ¾ø´Â Çؽ¬ ÇÔ¼ö¸¦ »ç¿ëÇÏ´Â ¾Ïȣȭ ¸Þ½ÃÁö ó¸® Áß ¹ß»ýÇÏ´Â ¹«ÇÑ ·çÇÁ Ãë¾àÁ¡ (CVE-2015-1792)
  • NewSessionTicket ó¸® Áß ¹ß»ýÇÏ´Â Race condition Ãë¾àÁ¡ (CVE-2015-1791)
  • ChangeCipherSpec ¸Þ½ÃÁö¿Í ¿Ï·á ¸Þ½ÃÁö »çÀÌ¿¡ µ¥ÀÌÅÍ Ã³¸® Áß ¹ß»ýÇÏ´Â Double Free Ãë¾àÁ¡ (CVE-2014-8176)

 

ÇØ´ç ½Ã½ºÅÛ

 

  • ¿µÇâ ¹Þ´Â Á¦Ç° ¹× ¹öÀü
    - OpenSSL 1.0.2 ´ë ¹öÀü
    - OpenSSL 1.0.1 ´ë ¹öÀü
    - OpenSSL 1.0.0 ´ë ¹öÀü
    - OpenSSL 0.9.8 ´ë ¹öÀü

 

ÇØ°á ¹æ¾È

 

  • ÇØ´ç Ãë¾àÁ¡¿¡ ¿µÇâ ¹Þ´Â ¹öÀüÀÇ »ç¿ëÀÚ´Â ¾Æ·¡ ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®[2]
    - OpenSSL 1.0.2 »ç¿ëÀÚ : 1.0.2b·Î ¾÷µ¥ÀÌÆ®
    - OpenSSL 1.0.1 »ç¿ëÀÚ : 1.0.1n·Î ¾÷µ¥ÀÌÆ®
    - OpenSSL 1.0.0 »ç¿ëÀÚ : 1.0.0s·Î ¾÷µ¥ÀÌÆ®
    - OpenSSL 0.9.8 »ç¿ëÀÚ : 0.9.8zg·Î ¾÷µ¥ÀÌÆ®
    ¡Ø CVE-2015-4000Àº OpenSSL 1.0.2b, 1.0.1n¿¡¼­¸¸ ¼öÁ¤

 

¿ë¾î ¼³¸í

 

  • Diffie-Hellman Å° ±³È¯ : ¾Ïȣȭ µÇÁö ¾ÊÀº Åë½Å¸Á¿¡¼­ÀÇ °øÅëÀÇ ºñ¹Ð Å° °øÀ¯¸¦ À§ÇÑ ¾Ë°í¸®Áò
  • PKCS#7 : RSA»ç°¡ Á¦½ÃÇÑ °ø°³ Å° ¾ÏÈ£ Ç¥ÁØÀÇ Çϳª·Î ¾ÏÈ£ÇÐÀû ¸Þ½ÃÁö ±¸¹® Ç¥ÁØ

 

Ãß°¡»çÇ×

 

  • Open SSL 0.9.8, OpenSSL 1.0.0 ¹öÀüÀº 2015³â 12¿ù 31ÀϺηΠ¼­ºñ½º Á¾·á ¿¹Á¤À¸·Î ÇØ´ç ¹öÀüÀ» »ç¿ëÁßÀÎ »ç¿ëÀÚ´Â ¾÷µ¥ÀÌÆ® °ËÅä ¿ä¸Á

 

±âŸ ¹®ÀÇ»çÇ×

 

  • Çѱ¹ÀÎÅͳÝÁøÈï¿ø ÀÎÅͳÝħÇØ´ëÀÀ¼¾ÅÍ: ±¹¹ø¾øÀÌ 118

 

[Âü°í»çÀÌÆ®]

 

  1. http://openssl.org/news/secadv_20150611.txt
  2. https://www.openssl.org
¡ã ÀÌÀü±Û OpenSSL Ãë¾àÁ¡ º¸¾È¾÷µ¥ÀÌÆ® ±Ç°í
¡å ´ÙÀ½±Û Yessign SSLº¸¾ÈÀÎÁõ¼­ ÆǸÅÁßÁö ¾È³»(9¿ù30ÀϱîÁö¹ß±Þ)