I-OpenSSL 3.0.7 ifika izolungisa inkinga yokuchichima kwebhafa 

David Y. Naranjo

Imizuzu ye-4

VulaSSL_logo

I-OpenSSL iphrojekthi yesofthiwe yamahhala esekelwe ku-SSLeay. 

Kukhishwe imininingwane mayelana ne ukukhishwa kwenguqulo yokulungisa ye umtapo wezincwadi we-crypto I-OpenSSL 3.0.7, elungisa ubungozi obubiliukuthi iyiphi futhi kungani le nguqulo yokulungisa ikhishwe ngokuchichima kwebhafa kusetshenziswe lapho kuqinisekiswa izitifiketi ze-X.509.

Kuyafaneleka ukusho lokho zombili izinkinga zidalwa ukuchichima kwesibhafa kukhodi yokuqinisekisa inkambu yekheli le-imeyili ezitifiketini ze-X.509 futhi kungabangela ukusetshenziswa kwekhodi lapho kucutshungulwa isitifiketi esakhiwe ngokukhethekile.

Ngesikhathi sokukhishwa kokulungiswa, onjiniyela be-OpenSSL bebengakabiki ukuba khona kokusebenza okungase kuholele ekusetshenzisweni kwekhodi yomhlaseli.

Kunesimo lapho iziphakeli zingase zixhashazwe ngokusebenzisa ukuqinisekiswa kweklayenti le-TLS, okungase kudlule izimfuneko zokusayinda kwe-CA, njengoba izitifiketi zeklayenti ngokuvamile azidingeki ukuthi zisayinwe yi-CA ethenjwayo. Njengoba ukuqinisekiswa kweklayenti kungavamile futhi amaseva amaningi awanawo amandla, ukuxhaphaza iseva kufanele kube ubungozi obuncane.

Abahlaseli ingasebenzisa lobu bungozi ngokuqondisa iklayenti kuseva ye-TLS eyingozi esebenzisa isitifiketi esenziwe ngokukhethekile ukuze icuphe ukuba sengozini.

Nakuba isimemezelo sangaphambi kokukhishwa kokukhishwa okusha sikhulume ngodaba olubucayi, empeleni, kusibuyekezo esikhishiwe, isimo sokuba sengozini sehliselwe ku-Dangerous, kodwa hhayi Okubalulekile.

Ngokwemithetho eyamukelwe kuphrojekthi, i izinga lobunzima liyehliswa uma kunenkinga ekucushweni okungavamile noma uma kunethuba eliphansi lokuxhaphaza ubungozi ekusebenzeni. Kulesi simo, izinga lobunzima lehlisiwe, njengoba ukuxhashazwa kokuba sengozini kuvinjwe izindlela zokuvikela ukuchichima kwesitaki ezisetshenziswa ezinkundleni eziningi.

Izimemezelo zangaphambilini ze-CVE-2022-3602 zichaze lolu daba njenge-CRITICAL. Ukuhlaziywa okwengeziwe okusekelwe kwezinye zezinto ezidambisayo ezishiwo ngenhla kuholele ekutheni lokhu kwehliselwe ku- HIGH.

Abasebenzisi basakhuthazwa ukuthi babuyekezele enguqulweni entsha ngokushesha okukhulu. Kuklayenti le-TLS, lokhu kungase kuqaliswe ngokuxhuma kuseva eyingozi. Kuseva ye-TLS, lokhu kungase kuqaliswe uma iseva icela ukuqinisekiswa kweklayenti futhi iklayenti elinonya lixhumeka. Izinguqulo ze-OpenSSL 3.0.0 kuye ku-3.0.6 zisengozini kulolu daba. Abasebenzisi be-OpenSSL 3.0 kufanele bathuthukele ku-OpenSSL 3.0.7.

zezinkinga ezikhonjiwe kushiwo okulandelayo:

I-CVE-2022-3602- Ekuqaleni kubikwe njengokubucayi, ukuba sengozini kubangela ukuchichima kwebhafa ye-4-byte lapho kuqinisekiswa inkambu yekheli le-imeyili eliklanywe ngokukhethekile kusitifiketi se-X.509. Kuklayenti le-TLS, ubungozi bungasetshenziswa ngokuxhuma kuseva elawulwa umhlaseli.. Kuseva ye-TLS, ubungozi bungasetshenziswa uma ukuqinisekiswa kweklayenti kusetshenziswa izitifiketi kusetshenziswa. Kulesi simo, ubungozi buzibonakalisa esigabeni ngemva kokuqinisekiswa kochungechunge lokuthembeka oluhlotshaniswa nesitifiketi, okungukuthi, ukuhlasela kudinga isiphathimandla sesitifiketi ukuthi siqinisekise isitifiketi esinonya somhlaseli.

I-CVE-2022-3786: Enye i-vector yokuxhashazwa kokuba sengozini kwe-CVE-2022-3602 ekhonjwe ngesikhathi sokuhlaziywa kwenkinga. Umehluko ukhuphukela ekubeni nokwenzeka kokuchichima isitaki sebhafa ngenani elithile lamabhayithi. equkethe "." uhlamvu. Inkinga ingasetshenziswa ukudala uhlelo lokusebenza ukuthi luphahlazeke.

Ubungozi buvela kuphela egatsheni le-OpenSSL 3.0.x, Izinguqulo ze-OpenSSL 1.1.1, kanye nemitapo yolwazi ye-LibreSSL kanye ne-BoringSSL ethathwe ku-OpenSSL, azithintwa inkinga. Ngesikhathi esifanayo, isibuyekezo se-OpenSSL 1.1.1s sakhululwa, esiqukethe kuphela ukulungiswa kweziphazamisi okungavikeleki.

Igatsha le-OpenSSL 3.0 lisetshenziswa ukusatshalaliswa okufana no-Ubuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, ​​​​Debian Testing/Unstable. Abasebenzisi balezi zinhlelo banconywa ukuthi bafake izibuyekezo ngokushesha ngangokunokwenzeka (Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch).

Ku-SUSE Linux Enterprise 15 SP4 kanye ne-openSUSE Leap 15.4, amaphakheji ane-OpenSSL 3.0 ayatholakala njengenketho, amaphakheji esistimu asebenzisa igatsha le-1.1.1. I-Debian 11, i-Arch Linux, i-Void Linux, Ubuntu 20.04, Slackware, ALT Linux, RHEL 8, OpenWrt, Alpine Linux 3.16, kanye ne-FreeBSD zihlala emagatsheni e-OpenSSL 1.x.

Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.