CentOS 6 OpenSSL 패딩 Oracle 취약점. (CVE-2016-2107)

tag-icon tag-icon centos centos6 openssl
CentOS 6 OpenSSL 패딩 Oracle 취약점. (CVE-2016-2107)

ssllabs.com에서 매우 나쁜 전체 평가를 받았습니다 OpenSSL Padding Oracle Vulnerability (CVE-2016-2107).

이것이 내가 현재 사용하고 있는 것입니다(프로덕션 환경):

  • OpenSSL 1.0.1e
  • 센트OS 6.5
  • Apache 2.2.26(수동으로 설치됨, 즉 여기서는 yum을 사용하지 않음)

자세한 내용은 여기를 참조하세요:

yum info openssl

Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 57.el6
Size        : 4.1 M
Repo        : installed
From repo   : base
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

Available Packages
Name        : openssl
Arch        : i686
Version     : 1.0.1e
Release     : 57.el6
Size        : 1.5 M
Repo        : base
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

rpm -q --changelog "openssl" | head -n 7
* Tue Jan 31 2017 Tomáš Mráz <[email protected]> 1.0.1e-57
- fix CVE-2017-3731 - DoS via truncated packets with RC4-MD5 cipher

* Wed Nov 02 2016 Tomáš Mráz <[email protected]> 1.0.1e-55
- fix CVE-2016-8610 - DoS of single-threaded servers via excessive alerts

* Sat Oct 22 2016 Tomáš Mráz <[email protected]> 1.0.1e-54

ldd mod_ssl.so
ldd: ./mod_ssl.so: No such file or directory

tail -n 200 error_log | grep notice
[Tue Mar 20 14:38:24 2018] [notice] Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1h mod_perl/2.0.5 Perl/v5.10.1 configured -- resuming normal operations

rpm -qa |grep openssl
openssl-1.0.1e-57.el6.x86_64

이 문제를 어떻게 해결할 수 있나요? 지금은 CentOS 6.5를 업그레이드할 수 없습니다. 또한 yum upgrade openssl아무것도 반환하지 않습니다.

편집하다:

/usr/local/apache2/bin/apachectl -M
Loaded Modules:
 core_module (static)
 authn_file_module (static)
 authn_default_module (static)
 authz_host_module (static)
 authz_groupfile_module (static)
 authz_user_module (static)
 authz_default_module (static)
 auth_basic_module (static)
 include_module (static)
 filter_module (static)
 deflate_module (static)
 log_config_module (static)
 env_module (static)
 expires_module (static)
 headers_module (static)
 setenvif_module (static)
 version_module (static)
 proxy_module (static)
 proxy_connect_module (static)
 proxy_ftp_module (static)
 proxy_ht

답변1

누군가가 귀하의 시스템에 설치할 수 있는 OpenSSL 및 Apache의 별도 패키지를 구축했는지 살펴볼 수 있습니다.

그러나 OS 연령을 살펴보면 해당 OS에는 여러 가지 취약점이 있으므로 전체 시스템을 업그레이드해야 합니다.

관련 정보