CVE编号
CVE-2016-0703利用情况
暂无补丁情况
官方补丁披露时间
2016-03-03漏洞描述
OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。OpenSSL 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze及更早版本中的s2_srvr.c未确保non-export密钥的clear-key-length为0存在安全漏洞,允许攻击者利用该漏洞导致分治法密钥恢复攻击。
解决建议
目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:https://www.openssl.org/news/secadv/20160301.txt
参考链接 |
|
|---|---|
| http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759 | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html | |
| http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html | |
| http://openssl.org/news/secadv/20160301.txt | |
| http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa... | |
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | |
| http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | |
| http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html | |
| http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html | |
| http://www.securityfocus.com/bid/83743 | |
| http://www.securitytracker.com/id/1035133 | |
| https://drownattack.com | |
| https://git.openssl.org/?p=openssl.git;a=commit;h=ae50d8270026edf5b3c7f8aaa0c... | |
| https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr... | |
| https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n... | |
| https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168 | |
| https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc | |
| https://security.gentoo.org/glsa/201603-15 | |
| https://www.arista.com/en/support/advisories-notices/security-advisories/1260... | |
| https://www.openssl.org/news/secadv/20160301.txt |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | * |
Up to (including) 0.9.8ze |
|||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0a | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0b | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0c | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0d | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0e | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0f | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0g | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0h | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0i | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0j | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0k | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0l | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0m | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0n | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0o | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0p | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.0q | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1a | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1b | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1c | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1d | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1e | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1f | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1g | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1h | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1i | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1j | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1k | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.1l | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | 1.0.2 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian | DPKG | * |
Up to (excluding) 1.0.0c-2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_5 | openssl | * |
Up to (excluding) 0:0.9.8e-33.el5_11 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_6 | openssl | * |
Up to (excluding) 0:1.0.1e-30.el6_6.7 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_7 | openssl | * |
Up to (excluding) 1:1.0.1e-42.el7_1.4 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_7 | openssl098e | * |
Up to (excluding) 0:0.9.8e-20.el6_7.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12 | libopenssl1_0_0 | * |
Up to (excluding) 1.0.1i-27.13 |
|||||
- 攻击路径 远程
- 攻击复杂度 困难
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 100
还没有评论,来说两句吧...