OpenSSL latest high-risk Vulnerability, CVE-2 0 1 5-1 7 9 3 patch released-vulnerability warning-the black bar safety net

2015-07-11T00:00:00
ID MYHACK58:62201564535
Type myhack58
Reporter 佚名
Modified 2015-07-11T00:00:00

Description

! Researchers Adam Langley/David Benjamin (Google/BoringSSL)recently found a new OpenSSL critical security vulnerability. The vulnerability the vulnerability number CVE-2 0 1 5-1 7 9 3, is the certificate validation logic the process not able to properly validate new and untrusted certificates. An attacker can bypass the certificate warning, mandatory application will not be valid the certificate as a legitimate certificate to use. Yesterday, OpenSSL released OpenSSL 1.0.2 b and OpenSSL 1.0.1 n two versions of the latest update that fixes the encryption Protocol in the certificate forgery issue. OpenSSL official for this vulnerability DESCRIPTION is: OpenSSL(1.0. 1n and 1. 0. 2 b more version)in the certificate chain verification process, if the first certificate chain validation fails, it will try to use one of the other certificate chain to try to re-check;in fact is in the certificate verification in the presence of a logic error, leading to a non-trusted certificate a number of checks to be bypassed, which is a direct consequence of the result for example that there is no CA issued capacity certificates be mistaken for having a CA-signed capabilities, which were issued a certificate by the certificate chain validation, etc. The affected OpenSSL version 1.0.1 n 1.0.2 b 1.0.2 c 1.0.1 o Repair way OpenSSL 1.0.2 c/1.0.2 b user please upgrade to 1.0.2 d OpenSSL-1.0.1 h/1.0.1 o user please upgrade to 1.0.2 p OpenSSL high-risk vulnerabilities Heart blood vulnerability: the vulnerability last 4 months was found, which exists in OpenSSL earlier versions, allows hackers to read a victim data encryption of sensitive content, including credit card details, or even to steal a network server or client software encrypted SSL key. POODLE vulnerability: several months later, in an old but widely used SSL 3.0 encryption Protocol found another called POODLE(Padding Oracle On Downgraded Legacy Encryption of a serious vulnerability that allows attackers to decrypt encrypted connections to the content. FREAK vulnerability: the vulnerability is Year 3 of the month be found, is a new SSL/TLS vulnerability, the vulnerability number CVE-2 0 1 5-0 2 0 4。 It will allow hackers to easily decrypt the website's private key and encrypted passwords, login cookies, and other HTTPS transmission of confidential data such as account number, password.