[B! heartbleed] mahboã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

mahbo id:mahbo

heartbleedã«é–¢ã™ã‚‹mahboã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (12)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Heartbleed bug ã«ã‚ˆã‚‹ã‚µãƒ¼ãƒè¨å®šã®çŠ¶æ³å¤‰åŒ– â€“ IIJ Security Diary
æœ¬ç¨¿ã§ã¯æ—¥æœ¬æ™‚é–“2014å¹´4æœˆ8æ—¥æœªæ˜Žã«å…¬é–‹ã•ã‚ŒãŸ HeartBleed bug ã«ã¤ã„ã¦å–ã‚Šä¸Šã’ã¾ã™ã€‚ æœ¬è„†å¼±æ€§ã¯ OpenSSL 1.0.1 ã‹ã‚‰ 1.0.1f ãŠã‚ˆã³ 1.0.2beta1 ã«ãŠã„ã¦ Heartbeat ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã®å‡¦ç†ã«ãŠã„ã¦å¢ƒç•Œãƒã‚§ãƒƒã‚¯ã®å•é¡ŒãŒã‚ã‚Šã€OpenSSL ãŒå‹•ä½œã—ã¦ã„ã‚‹ãƒžã‚·ãƒ³ã®ãƒ¡ãƒ¢ãƒªæƒ…å ±ã‚’å–å¾—å¯èƒ½ãªçŠ¶æ…‹ã«ã‚ã£ãŸã“ã¨ãŒå…¬è¡¨ã•ã‚Œã¾ã—ãŸ[1]OpenSSL Security Advisory [07 Apr 2014] TLS heartbeat read overrun (CVE-2014-0160) https://www.openssl.org/news/secadv_20140407.txtã€‚ RFC6520 ã§ç–å®šã•ã‚Œã¦ã„ã‚‹ Heartbeat ãƒ—ãƒãƒˆã‚³ãƒ«ã¯ã€ãƒªã‚¯ã‚¨ã‚¹ãƒˆ-ãƒ¬ã‚¹ãƒãƒ³ã‚¹åž‹ã® 2-way ã§å®Œçµã™ã‚‹ç°¡æ˜“ãªãƒ—ãƒãƒˆã‚³ãƒ«ã§ã€SSL/TLS ã® R
mahbo 2014/07/22
openssl

heartbleed
ãƒªãƒ³ã‚¯
Heartbleed bug ã«ã‚ˆã‚‹ç§˜å¯†éµæ¼æ´©ã®ç¾å®Ÿæ€§ã«ã¤ã„ã¦ â€“ IIJ Security Diary
æœ¬ç¨¿ã§ã¯ HeartBleed bug ã«ã‚ˆã‚‹ç§˜å¯†éµæ¼æ´©ã®å¯èƒ½æ€§ã‚’è€ƒå¯Ÿã—ã¾ã™ã€‚ OpenSSL ã§åˆ©ç”¨ã•ã‚Œã‚‹ RSA ç§˜å¯†éµã®ãƒ•ã‚©ãƒ¼ãƒžãƒƒãƒˆã¯ PKCS#1[1]Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 http://tools.ietf.org/html/rfc3447#section-3.2 ã§å®šã‚ã‚‰ã‚Œã¦ã„ã¾ã™ã€‚æš—å·åŒ–ã•ã‚ŒãŸæš—å·æ–‡ã®å¾©å·ã€ã‚‚ã—ãã¯ãƒ‡ã‚¸ã‚¿ãƒ«ç½²åã‚’è¡Œã†éš›ã« RSA ã®ç§˜å¯†éµã«ã‚ˆã‚‹æ“ä½œãŒè¡Œã‚ã‚Œã¾ã™ã€‚SSL/TLS ã‚µãƒ¼ãƒã« https ã§ã‚¢ã‚¯ã‚»ã‚¹ã—ãŸå ´åˆã«ã¯ã€ãã®ä¸¡æ–¹ã®ç”¨é€”ã§ç§˜å¯†éµãŒç”¨ã„ã‚‰ã‚Œã¾ã™ã€‚ãã®ãŸã‚ HSM ãªã©ã®ä»•çµ„ã¿ãŒç„¡ã„å ´åˆã«ã¯ç§˜å¯†éµãŒãƒ¡ãƒ¢ãƒªä¸Šã«å±•é–‹ã•ã‚Œã¦ã„ã‚‹å¯èƒ½æ€§ãŒé«˜ã„ã¨è¨€ãˆã¾ã™ã€‚å®Ÿéš› Cloudflare Challenge[2
mahbo 2014/05/12
security

heartbleed
ãƒªãƒ³ã‚¯
EC2ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã®OpenSSLã®Heartbleed Bugå¯¾å¿œ - Qiita
Deleted articles cannot be recovered. Draft of this article would be also deleted. Are you sure you want to delete this article?
mahbo 2014/04/16
heartbleed
ãƒªãƒ³ã‚¯
DeNA Engineering - DeNAã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®ãƒãƒ¼ã‚¿ãƒ«ã‚µã‚¤ãƒˆ
æŠ€è¡“ã‚’æ´»ã‹ã—ã€æ–°ã—ã„ä¾¡å€¤ã‚’å‰µé€ ã™ã‚‹ DeNAã®ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã¯ã€æƒ³åƒã‚’è¶…ãˆã‚‹Delightã‚’å±Šã‘ã‚‹ãŸã‚ã«ä½•ãŒã§ãã‚‹ã‹ã‚’è€ƒãˆã€æŠ€è¡“åŠ›ã¨ç™ºæƒ³åŠ›ã§æ–°ã—ã„ä¾¡å€¤ã‚’ç”Ÿã¿å‡ºã—ã¦ã„ã¾ã™ã€‚ å¤šæ§˜ãªå°‚é–€æ€§ã‚’æŒã£ãŸã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãŒåˆ‡ç£‹ç¢ç£¨ã—ã€äº’ã„ã«åˆºæ¿€ã—åˆãˆã‚‹ç’°å¢ƒã‚„åˆ¶åº¦ãŒã•ã‚‰ãªã‚‹æˆé•·ã¸ã¨ã¤ãªã’ã¾ã™ã€‚
mahbo 2014/04/15
Heartbleedã®è§£ã‚Šã‚„ã™ã„è§£èª¬

heartbleed
ãƒªãƒ³ã‚¯
OpenSSLè„†å¼±æ€§ã®å½±éŸ¿ã‚’å—ã‘ã‚‹ã‚µã‚¤ãƒˆä¸€è¦§ï¼ˆéšæ™‚æ›´æ–°ä¸ï¼‰
ï¼ˆæ—¥æœ¬ã®éŠ€è¡Œãªã©ã®æƒ…å ±ãŒã¾ã é›†ã¾ã£ã¦ã„ã¾ã›ã‚“ã€‚æƒ…å ±ãŒã‚ã‚Œã°ã€æƒ…å ±æºã‚’ç¤ºã™URLã¨ã¨ã‚‚ã«ãŠçŸ¥ã‚‰ã›ä¸‹ã•ã„ï¼‰ 2014å¹´4æœˆ8æ—¥ã«ã€OpenSSLã«è„†å¼±æ€§ãŒã‚ã‚‹ã“ã¨ãŒç™ºè¡¨ã•ã‚Œã€ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã§ã¯å¤§é¨’å‹•ã‚’è¦‹ã›ã¦ã„ã¾ã™ã€‚ Facebookã‚„ã€Yahooã€Gmailã®ã‚ˆã†ãªGoogleã®ã‚µãƒ¼ãƒ“ã‚¹ãªã©ã€èª°ã‚‚ãŒåˆ©ç”¨ã—ã¦ã„ã‚‹Webã‚µã‚¤ãƒˆãŒã“ã®è„†å¼±æ€§ã«ã•ã‚‰ã•ã‚Œã¦ã„ãŸã®ã§ã€å½“ç„¶ã§ã™ãã€‚ ã“ã®OpenSSLè„†å¼±æ€§ã¯ã€ç™ºè¦‹ãƒ»ç™ºè¡¨ã¾ã§ã®ç´„2å¹´é–“ã€å˜åœ¨ã—ã¦ã„ãŸã“ã¨ã«ãªã‚Šã¾ã™ã€‚ å¤šãã®ã‚µã‚¤ãƒˆã§ã¯ã€ã“ã®ç™ºè¡¨ã‚’å—ã‘ã¦ã™ã§ã«å¯¾å‡¦ï¼ˆã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ¼ãƒ›ãƒ¼ãƒ«ã‚’åŸ‹ã‚ã‚‹ãƒ‘ãƒƒãƒã‚’å½“ã¦ã‚‹ãªã©ï¼‰ã—ã¦ã„ã¾ã™ãŒã€æœ€å¤§ã§2å¹´é–“ã¯IDã‚„ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã€ã‚¯ãƒ¬ã‚¸ãƒƒãƒˆã‚«ãƒ¼ãƒ‰ã®æƒ…å ±ãŒæ¼ã‚Œã¦ã„ãŸå¯èƒ½æ€§ãŒã‚ã‚‹ã®ã§ã€å®‰å¿ƒã—ã¦è‰¯ã„äººã¯1äººã‚‚ã„ã¾ã›ã‚“ã€‚ ã“ã‚Œã»ã©æ·±åˆ»ãªã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®å•é¡Œã§ã‚ã‚‹ã«ã‚‚ã‹ã‹ã‚ã‚‰ãšã€ãƒ‹ãƒ¥ãƒ¼ã‚¹ã§é€£æ—¥å ±é“ã•ã‚Œã‚‹ã¨ã„ã†ã“ã¨ã‚‚ãªã„ã§ã™ã—ã€ï¼ˆå°‘ãªãã¨ã‚‚ç§ã®ï¼‰
mahbo 2014/04/11
heartbleed
ãƒªãƒ³ã‚¯
OpenSSLã®ã€ŒHeartbleedã€è„†å¼±æ€§ã¯2å¹´å‰ã‹ã‚‰å˜åœ¨ã€ã€Œæœ€æ‚ªã®ã‚±ãƒ¼ã‚¹ã‚’æƒ³å®šã—ã¦å¯¾å‡¦ã‚’ã€ã¨å°‚é–€å®¶
OpenSSLã®ã€ŒHeartbleedã€è„†å¼±æ€§ã¯2å¹´å‰ã‹ã‚‰å˜åœ¨ã€ã€Œæœ€æ‚ªã®ã‚±ãƒ¼ã‚¹ã‚’æƒ³å®šã—ã¦å¯¾å‡¦ã‚’ã€ã¨å°‚é–€å®¶ï¼šãƒã‚§ãƒƒã‚¯æ–¹æ³•ã¾ã¨ã‚ ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ã®SSL/TLSå®Ÿè£…ã€ŒOpenSSLã€ã«è¦‹ã¤ã‹ã£ãŸæƒ…å ±æ¼ãˆã„ã«ã¤ãªãŒã‚‹è„†å¼±æ€§ã®å½±éŸ¿ãŒæ‹¡å¤§ã€‚å°‚é–€å®¶ã¯ã€Œæœ€æ‚ªã®ã‚±ãƒ¼ã‚¹ã€ã¤ã¾ã‚Šç§˜å¯†éµã®æ¼ãˆã„ã‚’æƒ³å®šã—ã¦å¯¾å‡¦ã™ã¹ãã€ã¨è¿°ã¹ã¦ã„ã‚‹ã€‚ ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ã®SSL/TLSå®Ÿè£…ã€ŒOpenSSLã€ã«è¦‹ã¤ã‹ã£ãŸæƒ…å ±æ¼ãˆã„ã«ã¤ãªãŒã‚‹è„†å¼±æ€§ã®å½±éŸ¿ãŒæ‹¡å¤§ã—ã¦ã„ã‚‹ã€‚OSã‚„ã‚¯ãƒ©ã‚¦ãƒ‰ã‚µãƒ¼ãƒ“ã‚¹ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ©Ÿå™¨ã®ä¸ã«ã¯ã€è„†å¼±æ€§ã®ã‚ã‚‹OpenSSLã‚’åˆ©ç”¨ã—ã¦ã„ã‚‹ã‚‚ã®ãŒå¤šæ•°ã‚ã‚Šã€ãƒ™ãƒ³ãƒ€ãƒ¼å„ç¤¾ãŒç¢ºèªãƒ»å¯¾å¿œã‚’é€²ã‚ã¦ã„ã‚‹ã€‚å›½å†…ã§ã‚‚ã“ã®è„†å¼±æ€§ã®å½±éŸ¿ã‚’å—ã‘ã‚‹ã‚µã‚¤ãƒˆãŒç¢ºèªã•ã‚Œã¦ãŠã‚Šã€ä¸ã«ã¯ä¸€æ™‚çš„ã«ã‚µãƒ¼ãƒ“ã‚¹ã‚’åœæ¢ã—ã€å¯¾å‡¦ã‚’å„ªå…ˆã—ãŸã‚µãƒ¼ãƒ“ã‚¹ã‚‚ã‚ã‚‹ã€‚ ã“ã®è„†å¼±æ€§ã¯ã€OpenSSL ãƒãƒ¼ã‚¸ãƒ§ãƒ³1.0.1ï¼1.0.2ç³»ã«å˜åœ¨ã™ã‚‹ã€‚Heartbeatæ‹¡å¼µã®å®Ÿè£…ã«è¦‹ã¤ã‹
mahbo 2014/04/11
heartbleed
ãƒªãƒ³ã‚¯
OpenSSL 1.0.1ï¼1.0.2ç³»ã«è„†å¼±æ€§ã€ç§˜å¯†éµæ¼ãˆã„ã®æã‚Œã‚‚
OpenSSL 1.0.1ï¼1.0.2ç³»ã«è„†å¼±æ€§ã€ç§˜å¯†éµæ¼ãˆã„ã®æã‚Œã‚‚ï¼šè©²å½“ã™ã‚‹å ´åˆã¯ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆã¨ã‚µãƒ¼ãƒãƒ¼è¨¼æ˜Žæ›¸ã®å†ç™ºè¡Œã‚’ ç±³å›½æ™‚é–“ã®2014å¹´4æœˆ7æ—¥ã€OpenSSLã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³1.0.1ï¼1.0.2ç³»ã«ã€ç§˜å¯†éµãªã©ã®æ¼ãˆã„ã«ã¤ãªãŒã‚‹æã‚Œã®ã‚ã‚‹æ·±åˆ»ãªè„†å¼±æ€§ãŒç™ºè¦‹ã•ã‚ŒãŸã€‚ ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ã®SSLï¼TLSæš—å·åŒ–ãƒ©ã‚¤ãƒ–ãƒ©ãƒªã€ã€ŒOpenSSLã€ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³1.0.1ï¼1.0.2ç³»ã«ã€ç§˜å¯†éµãªã©ã®æ¼ãˆã„ã«ã¤ãªãŒã‚‹æã‚Œã®ã‚ã‚‹æ·±åˆ»ãªè„†å¼±æ€§ï¼ˆCVE-2014-0160ï¼‰ãŒç™ºè¦‹ã•ã‚ŒãŸã€‚JPCERTã‚³ãƒ¼ãƒ‡ã‚£ãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆJPCERT/CCï¼‰ã¯ã˜ã‚è¤‡æ•°ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£æ©Ÿé–¢ãŒã€æ‰‹å…ƒã®OpenSSLã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’ç¢ºèªã—ã€å¿…è¦ã«å¿œã˜ã¦ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—ãªã©é©åˆ‡ãªå¯¾å‡¦ã‚’å–ã‚‹ã‚ˆã†å‘¼ã³æŽ›ã‘ã¦ã„ã‚‹ã€‚ ã“ã®è„†å¼±æ€§ã¯ã€OpenSSL 1.0.1ã‹ã‚‰1.0.1fãªã‚‰ã³ã«1.0.2-betaã‹ã‚‰1.0.2-beta1ã«å˜åœ¨ã™ã‚‹
mahbo 2014/04/11
heartbleed
ãƒªãƒ³ã‚¯
ãƒãƒƒãƒˆå²ä¸Šæœ€å¤§ç´šã®ãƒã‚°ç™ºè¦‹ã€‚ã‚«ãƒŠãƒ€ã¯ç¢ºå®šç”³å‘Šã‚’ç·Šæ€¥åœæ¢ã€å±é™ºåº¦ã¯10æ®µéšŽã®11ï¼Ÿ
ãƒãƒƒãƒˆå²ä¸Šæœ€å¤§ç´šã®ãƒã‚°ç™ºè¦‹ã€‚ã‚«ãƒŠãƒ€ã¯ç¢ºå®šç”³å‘Šã‚’ç·Šæ€¥åœæ¢ã€å±é™ºåº¦ã¯10æ®µéšŽã®11ï¼Ÿ2014.04.10 17:005,441 satomi ã‚µã‚¤ãƒˆã§ã‚¯ãƒ¬ã‚¸ãƒƒãƒˆã‚«ãƒ¼ãƒ‰ç•ªå·å…¥åŠ›ã—ã¦ã‚‚éµãŒã‹ã‹ã‚‹ã‹ã‚‰å¤§ä¸ˆå¤«ã€ã¨ã„ã†éŽåŽ»15å¹´ãã‚‰ã„ã®å®‰å¿ƒæ„Ÿã‚’æ ¹åº•ã‹ã‚‰è¦†ã™ãƒã‚°ãŒæ¤œå‡ºã•ã‚Œã€ä¸–ç•Œå„åœ°ã§ã‚µã‚¤ãƒˆç®¡ç†è€…ã‚’éœ‡ãˆä¸ŠãŒã‚‰ã›ã¦ã„ã¾ã™ã€‚ ãã‚Œã«ä¼´ã„ã€ã‚«ãƒŠãƒ€æ”¿åºœã¯ç¢ºå®šç”³å‘Šã®ã‚µãƒ¼ãƒ“ã‚¹ã‚’ç·Šæ€¥é–‰éŽ–ã—ã¾ã—ãŸã€‚ã“ã®ä»¶ã«é–¢ã—ã¦ã€ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã®å°‚é–€å®¶Bruce Schneieræ°ï¼ˆCo3ç¤¾CTOå…¼EFFç†äº‹å…¼ãƒãƒ¼ãƒãƒ¼ãƒ‰å¤§ãƒ•ã‚§ãƒãƒ¼ï¼‰ã¯ï½¢å£Šæ»…çš„ã€‚10æ®µéšŽè©•ä¾¡ã§è€ƒãˆã‚‹ã¨ã€ã“ã‚Œã¯11ãƒ¬ãƒ™ãƒ«ï½£ã¨é’ç‹ç«‹ã¦ã¦å«ã‚“ã§ã„ã¾ã™ã€‚ ã“ã®ã‚ˆã†ã«ä¸€å›½ã®å…¬å…±ã‚µãƒ¼ãƒ“ã‚¹ã‚‚åœæ¢ã•ã›ã‚‹é‡å¤§ãªãƒã‚°ã®åå‰ã¯ï½¢Heartbleedï½£ã€‚è¡€ã‚’å¹ãå¿ƒè‡“ã¨ã„ã†æ„å‘³ã§ã™ã€‚ã“ã‚Œã®ä½•ãŒã©ã†æ€–ã„ã®ã‹ã€å°‘ã—èª¬æ˜Žã—ã¦ã„ãã¾ã™ã€‚ æš—å·éµã®æ¡æ‰‹ ã‚¢ãƒƒãƒ—ãƒ«ã®è„†å¼±æ€§ã®æ™‚ã‚‚å‡ºãŸã‚ˆã†ã«ã€ãƒãƒƒãƒˆã§ã‚»ã‚ãƒ¥ã‚¢ãªå–å¼•ã
mahbo 2014/04/11
heartbleed
ãƒªãƒ³ã‚¯
OpenSSLã®è„†å¼±æ€§ã§æƒ³å®šã•ã‚Œã‚‹ãƒªã‚¹ã‚¯ - ã‚ã‚‚ãŠãã°
JVNã‚„JPCERT/CCã®è¨˜äº‹ãŒã‚ã¾ã‚Šã«ã‚‚ã•ã‚‰ã£ã¨æ›¸ã‹ã‚Œã¦ã„ã¦ã€å…·ä½“çš„ãªãƒªã‚¹ã‚¯ãŒæƒ³åƒã—ã¥ã‚‰ã„ã¨æ€ã†ã®ã§èª¬æ˜Žã—ã¾ã™ã€‚ ä»ŠåŒ—ç”£æ¥ (ä»Šãƒ‹ãƒ¥ãƒ¼ã‚¹è¦‹ã¦æ¥ãŸã‹ã‚‰ä¸‰è¡Œã§æ•™ãˆã¦æ¬²ã—ã„ã¨ã„ã†äººå‘ã‘ã®ã¾ã¨ã‚) ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆä¸Šã®ã€Œæš—å·åŒ–ã€ã«ä½¿ã‚ã‚Œã¦ã„ã‚‹OpenSSLã¨ã„ã†ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ãŒ2å¹´é–“å£Šã‚Œã¦ã„ã¾ã—ãŸã€‚ ã“ã®ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã¯ä¾¿åˆ©ãªã®ã§ã€Facebookã ã¨ã‹YouTubeã ã¨ã‹ã€ã‚ã¡ã“ã¡ã®ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã§ä½¿ã£ã¦ã„ã¾ã—ãŸã€‚ ä»–ã®äººã®å…¥åŠ›ã—ãŸIDã¨ã‹ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã¨ã‹ã‚¯ãƒ¬ã‚«ç•ªå·ã¨ã‹ã‚’ã€æ‚ªã„äººãŒè¦‹ã‚‹ã“ã¨ãŒã§ãã¦ã—ã¾ã„ã¾ã™ã€‚(å®Ÿéš›ã«æ¼ã‚Œã¦ã‚‹ä¾‹) ä»–ã«ã‚‚è‰²ã€…æ¼ã‚Œã¦ã¾ã™ãŒã€ã¨ã‚Šã‚ãˆãšã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ä»¥å¤–ã®äººãŒè¦šãˆã¦ãŠãã¹ãã¯ã“ã“ã¾ã§ã§OKã§ã™ã€‚ã‚‚ã†å°‘ã—åˆ†ã‹ã‚Šã‚„ã™ã„æƒ…å ±ãŒä»¥ä¸‹ã«ã‚ã‚Šã¾ã™ã€‚ OpenSSL ã®è„†å¼±æ€§ã«å¯¾ã™ã‚‹ã€ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆåˆ©ç”¨è€…ï¼ˆä¸€èˆ¬ãƒ¦ãƒ¼ã‚¶ï¼‰ã®å¯¾å¿œã«ã¤ã„ã¦ ã¾ã ç›´ã£ã¦ã„ãªã„ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã‚‚ã‚ã‚Œã°ã€å…ƒã€…å£Šã‚Œã¦ã„ãªã„ã‚¦ã‚§ãƒ–
mahbo 2014/04/11
heartbleed
ãƒªãƒ³ã‚¯
CVE-2014-0160 OpenSSL Heartbleed è„†å¼±æ€§ã¾ã¨ã‚ - ã‚ã‚‚ãŠãã°
å¿…è¦ãªæƒ…å ±ã¯ http://heartbleed.com/ ã«ã¾ã¨ã¾ã£ã¦ã„ã‚‹ã®ã§ã™ãŒã€è‹±èªžã ã—é•·ã„ã—ã£ã¦äººã®ãŸã‚ã«æ‰‹çŸã«ã¾ã¨ã‚ã¦ãŠãã¾ã™ã€‚ ã©ã†ã™ã‚Œã°ã„ã„ã®ã‹ OpenSSL 1.0.1ã€œ1.0.1fã‚’ä½¿ã£ã¦ã„ãªã‘ã‚Œã°ã‚»ãƒ¼ãƒ• ã‚ã¦ã¯ã¾ã‚‹å ´åˆã«ã¯ã€ä¸€åˆ»ã‚‚æ—©ããƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—ã—ã¦ã€ã‚µãƒ¼ãƒã”ã¨å†èµ·å‹•(ã‚ã‹ã‚‹ã²ã¨ã¯ã‚µãƒ¼ãƒ“ã‚¹å˜ä½ã§ã‚‚OKã€ãŸã ã—reloadã§ã¯ã ã‚ãªã“ã¨ã‚‚) SSLè¨¼æ˜Žæ›¸ã§ã‚µãƒ¼ãƒã‚’å…¬é–‹ã—ã¦ã„ã‚‹ãªã‚‰ã€ç§˜å¯†éµã‹ã‚‰ä½œã‚Šç›´ã—ã¦è¨¼æ˜Žæ›¸ã‚’å†ç™ºè¡Œã—ã€éŽåŽ»ã®è¨¼æ˜Žæ›¸ã‚’å¤±åŠ¹ã•ã›ã‚‹(æœ«å°¾ã«é–¢é€£ãƒªãƒ³ã‚¯ã‚ã‚Š)ã€‚ ã‚µãƒ¼ãƒã‚’å…¬é–‹ã—ã¦ã„ãªã„å ´åˆã‚‚ã€å¤–éƒ¨ã¸ã®SSLé€šä¿¡ãŒã‚ã‚Œã°å½±éŸ¿ã‚’å—ã‘ã‚‹ã®ã§ã€è©³ã—ãç²¾æŸ»ã™ã‚‹ã€‚ PFS(perfect forward secrecy)ã‚’åˆ©ç”¨ã—ã¦ã„ãªã„å ´åˆã€éŽåŽ»ã®é€šä¿¡å†…å®¹ã‚‚å¾©å·ã•ã‚Œã‚‹å¯èƒ½æ€§ãŒã‚ã‚‹ãŸã‚ã€è©³ã—ãç²¾æŸ»ã™ã‚‹ã€‚ æ¼æ´©ã™ã‚‹æƒ…å ±ã®å…·ä½“ä¾‹ã¯ã€OpenSSLã®è„†å¼±æ€§ã§æƒ³å®šã•ã‚Œã‚‹ãƒªã‚¹ã‚¯ã¨ã—ã¦
mahbo 2014/04/11
heartbleed
ãƒªãƒ³ã‚¯
OpenSSL ã®è„†å¼±æ€§ã«é–¢ã™ã‚‹æ³¨æ„å–šèµ·
å„ä½ JPCERT-AT-2014-0013 JPCERT/CC 2014-04-08(æ–°è¦) 2014-04-11(æ›´æ–°) <<< JPCERT/CC Alert 2014-04-08 >>> OpenSSL ã®è„†å¼±æ€§ã«é–¢ã™ã‚‹æ³¨æ„å–šèµ· https://www.jpcert.or.jp/at/2014/at140013.html I. æ¦‚è¦ OpenSSL Project ãŒæä¾›ã™ã‚‹ OpenSSL ã® heartbeat æ‹¡å¼µã«ã¯æƒ…å ±æ¼ãˆã„ã® è„†å¼±æ€§ãŒã‚ã‚Šã¾ã™ã€‚çµæžœã¨ã—ã¦ã€é éš”ã®ç¬¬ä¸‰è€…ã¯ã€ç´°å·¥ã—ãŸãƒ‘ã‚±ãƒƒãƒˆã‚’é€ä»˜ã™ ã‚‹ã“ã¨ã§ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ¡ãƒ¢ãƒªå†…ã®æƒ…å ±ã‚’é–²è¦§ã—ã€ç§˜å¯†éµãªã©ã®é‡è¦ãªæƒ…å ±ã‚’å–å¾— ã™ã‚‹å¯èƒ½æ€§ãŒã‚ã‚Šã¾ã™ã€‚ ç®¡ç†ã™ã‚‹ã‚·ã‚¹ãƒ†ãƒ ã«ãŠã„ã¦è©²å½“ã™ã‚‹ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã® OpenSSL ã‚’ä½¿ç”¨ã—ã¦ã„ã‚‹å ´åˆ ã¯ã€OpenSSL Project ãŒæä¾›ã™ã‚‹ä¿®æ£æ¸ˆã¿ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¸ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆã™ã‚‹ã“ã¨ ã‚’ãŠå‹§ã‚ã—ã¾
mahbo 2014/04/11
heartbleed
ãƒªãƒ³ã‚¯
JVNVU#94401838: OpenSSL ã® heartbeat æ‹¡å¼µã«æƒ…å ±æ¼ãˆã„ã®è„†å¼±æ€§
OpenSSL 1.0.1 ã‹ã‚‰ 1.0.1f ã¾ã§ OpenSSL 1.0.2 ã«ã¤ã„ã¦ã¯ã€1.0.2-beta2 ã§å¯¾å¿œäºˆå®šã¨ã®ã“ã¨ã§ã™ã€‚ OpenSSL ã® heartbeat æ‹¡å¼µã®å®Ÿè£…ã«ã¯ã€æƒ…å ±æ¼ãˆã„ã®è„†å¼±æ€§ãŒå˜åœ¨ã—ã¾ã™ã€‚TLS ã‚„ DTLS é€šä¿¡ã«ãŠã„ã¦ OpenSSL ã®ã‚³ãƒ¼ãƒ‰ã‚’å®Ÿè¡Œã—ã¦ã„ã‚‹ãƒ—ãƒã‚»ã‚¹ã®ãƒ¡ãƒ¢ãƒªå†…å®¹ãŒé€šä¿¡ç›¸æ‰‹ã«æ¼ãˆã„ã™ã‚‹å¯èƒ½æ€§ãŒã‚ã‚Šã¾ã™ã€‚
mahbo 2014/04/11
heartbleed
ãƒªãƒ³ã‚¯
1