Ãë¾àÁ¡ID |
22636 |
À§Çèµµ |
30 |
Æ÷Æ® |
80, ... |
ÇÁ·ÎÅäÄÝ |
TCP |
ºÐ·ù |
WWW |
»ó¼¼¼³¸í |
¹è³ÊÁ¤º¸¿¡ ÀÇÇÏ¸é ¿ø°Ý À¥ ¼¹ö¿¡´Â OpenSSL 1.0.0 ÀÌÀü 1.0.0o ¹öÀüÀÌ ½ÇÇàµÇ°í ÀÖÀ¸¸ç, ´ÙÀ½ÀÇ ´ÙÁß Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.
- cipher block chaining (CBC) ¸ðµå¿¡¼ SSL 3.0 ÇÚµéÀÌ block cipher¸¦ ÅëÇÏ¿© ¾ÏÈ£ÈµÈ ¸Þ½ÃÁö¸¦ ÇØÁ¦ÇÒ¶§ padding bytes¿¡ ¿¡·¯°¡ Á¸ÀçÇÑ´Ù. Man-in-the-middle °ø°ÝÀÚ´Â 256¹ø ÀÌÇÏÀÇ ½Ãµµ·Î ¾ÏÈ£ÈµÈ ÅؽºÆ®¸¦ º¹È£ÈÇÒ ¼ö ÀÖ´Ù. ÀÌ Ãë¾àÁ¡Àº 'POODLE' ·Î ¾Ë·ÁÁ® ÀÖ´Ù. (CVE-2014-3566)
- ¼¼¼Ç ƼÄÏÀ» ´Ù·ê ¶§ ¿¡·¯°¡ Á¸ÀçÇØ ¸Þ¸ð¸® ´©¼ö°¡ ¹ß»ýÇÏ¿© ¼ºñ½º °ÅºÎ »óÅ¿¡ ºüÁú ¼ö ÀÖ´Ù.(CVE-2014-3567)
- ºôµå ¼³Á¤ °úÁ¤°ú 'no-ssl3' ¿É¼Ç¿¡ ¿¡·¯°¡ Á¸ÀçÇØ, ¼¹ö¿Í Ŭ¶óÀ̾ðÆ®°£ÀÇ SSL 3.0 Çڵ彦ÀÌÅ© °úÁ¤ÀÌ ºÒ¾ÈÀüÇÑ »óÅ¿¡¼ ÁøÇàµÉ ¼ö ÀÖ´Ù.(CVE-2014-3568)
* ¾Ë¸²: ÀÌ Á¡°ËÇ׸ñÀº ÀÌ Ãë¾àÁ¡À» Á¡°ËÇϱâ À§ÇØ ¹öÀü Á¤º¸¸¸À» È®ÀÎÇÑ´Ù. µû¶ó¼ °ÅÁþ ¾ç¼º¹ÝÀÀ(False Positive)À» º¸ÀÏ ¼ö ÀÖ´Ù.
* Âü°í »çÀÌÆ®: https://www.openssl.org/news/openssl-1.0.0-notes.html https://www.openssl.org/news/secadv_20141015.txt https://www.openssl.org/news/vulnerabilities.html https://www.imperialviolet.org/2014/10/14/poodle.html https://www.openssl.org/~bodo/ssl-poodle.pdf https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû: OpenSSL 1.0.0o ÀÌÀüÀÇ 1.0.0 ¹öÀü Linux Any version Unix Any version Microsoft Windows Any version |
ÇØ°áÃ¥ |
OpenSSL À¥ »çÀÌÆ®ÀÎ http://www.openssl.org/ ¿¡¼ ±¸ÇÒ ¼ö ÀÖ´Â OpenSSLÀÇ °¡Àå ÃֽŠ¹öÀü(1.0.0o ¶Ç´Â ÀÌÈÄ)À¸·Î ¾÷±×·¹À̵å ÇÏ¿©¾ß ÇÑ´Ù. |
°ü·Ã URL |
CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 (CVE) |
°ü·Ã URL |
70574,70585,70586 (SecurityFocus) |
°ü·Ã URL |
(ISS) |
|