naga_sawaã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ / 2014å¹´5æœˆ17æ—¥

ã‚µãƒ¼ãƒ“ã‚¹çµ‚äº†ã®ãŠçŸ¥ã‚‰ã› - NAVER ã¾ã¨ã‚

ã‚µãƒ¼ãƒ“ã‚¹çµ‚äº†ã®ãŠçŸ¥ã‚‰ã› NAVERã¾ã¨ã‚ã¯2020å¹´9æœˆ30æ—¥ã‚’ã‚‚ã¡ã¾ã—ã¦ã‚µãƒ¼ãƒ“ã‚¹çµ‚äº†ã„ãŸã—ã¾ã—ãŸã€‚ ç´„11å¹´é–“ã€NAVERã¾ã¨ã‚ã‚’ã”åˆ©ç”¨ãƒ»ã”æ„›é¡§ã„ãŸã ãèª ã«ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã—ãŸã€‚

naga_sawa 2014/05/17

ã‚µã‚¤ãƒ¬ãƒ³ãƒˆãƒ†ãƒãŒåŠ¹ã„ã¦ãã¦ã‚‹ã¨

ãƒªãƒ³ã‚¯

OpenSSL æƒ…å ±æ¼ãˆã„ã‚’è¨±ã—ã¦ã—ã¾ã†è„†å¼±æ€§ ï½žHeartbleed å•é¡Œï½ž ã«ã¤ã„ã¦

2014å¹´04æœˆ07æ—¥ã€ OpenSSL æƒ…å ±æ¼ãˆã„ã‚’è¨±ã—ã¦ã—ã¾ã†è„†å¼±æ€§(CVE-2014-0160) ï½žHeartbleed å•é¡Œï½ž ã«ã¤ã„ã¦å ±å‘Šã•ã‚Œã¾ã—ãŸã€‚ ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆæƒ…å ±æ´»ç”¨ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯æ¤œè¨Ž WGã§ã¯ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆå¯¾å¿œæŠ€è¡“èª¿æŸ» WGã€æ—¥æœ¬ã‚·ãƒ¼ã‚µãƒ¼ãƒˆå”è°ä¼šã«åŠ ç›Ÿã—ã¦ã„ã‚‹ãƒãƒ¼ãƒ ã«å”åŠ›ã‚’å¾—ã¦ã€ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆç™ºç”Ÿã‚’äº‹å‰ã«äºˆé˜²ã™ã‚‹æŽªç½®ã¨ã—ã¦ã€ã€ŒOpenSSL æƒ…å ±æ¼ãˆã„ã‚’è¨±ã—ã¦ã—ã¾ã†è„†å¼±æ€§ ï½ž Heartbleed å•é¡Œï½žã€ã«é–¢ã™ã‚‹å…¬é–‹æƒ…å ±ã‚’èª¿æŸ»ã—ã€æœ¬ãƒ¬ãƒãƒ¼ãƒˆã«ã¾ã¨ã‚ã¾ã—ãŸã€‚ ãƒ»OpenSSL æƒ…å ±æ¼ãˆã„ã‚’è¨±ã—ã¦ã—ã¾ã†è„†å¼±æ€§ ï½ž Heartbleed å•é¡Œï½ž ã¨ã¯ ãƒ»å¯¾ç– ãƒ»ãƒ™ãƒ³ãƒ€æƒ…å ± ãƒ»è¦³æ¸¬æ—¥è¨˜ ãƒ»æ›´æ–°å±¥æ´ OpenSSL æƒ…å ±æ¼ãˆã„ã‚’è¨±ã—ã¦ã—ã¾ã†è„†å¼±æ€§ ï½ž Heartbleed å•é¡Œï½ž ã¯ã€ OpenSSL ã® TLS/DTLS ç”¨ Heartbeat æ‹¡å¼µã®å®Ÿè£…ã«èµ·å› ã™ã‚‹æƒ…å ±æ¼ãˆã„ã‚’è¨±

naga_sawa 2014/05/17

Heartbleed å•é¡Œã¾ã¨ã‚

ãƒªãƒ³ã‚¯

OpenSSLã®è„†å¼±æ€§ï¼ˆCVE-2014-0160ï¼‰é–¢é€£ã®æƒ…å ±ã‚’ã¾ã¨ã‚ã¦ã¿ãŸ - piyolog

HeartBleed(CVE-2014-0160)é–¢ä¿‚ã®ãƒªãƒ³ã‚¯é›†ã€è‡ªåˆ†ã®ãƒ¡ãƒ¢ç”¨ãªã®ã§ä¸æ£ç¢ºã§ã™ã€‚ HeartBleedã®å½±éŸ¿å¯¾è±¡ã¨ãªã‚‹OpenSSLãƒãƒ¼ã‚¸ãƒ§ãƒ³ ä»¥ä¸‹ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒå½±éŸ¿ã‚’å—ã‘ã¾ã™ã€‚ä½†ã—ã€ã‚·ã‚¹ãƒ†ãƒ ã«ã‚ˆã£ã¦ã¯åŽŸå› ã¨ãªã£ã¦ã„ã‚‹heartbeatæ©Ÿèƒ½ãŒç„¡åŠ¹åŒ–ã•ã‚Œã¦ã„ã‚‹å ´åˆã‚‚ã‚ã‚‹ãŸã‚ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒä¸€è‡´ã—ãŸã ã‘ã§å½“è©²è„†å¼±æ€§ã®å½±éŸ¿ã‚’å—ã‘ã‚‹ã‹ã¯ç¢ºå®šã—ã¾ã›ã‚“ã€‚ (1) OpenSSL 1.0.1ç³» ãƒãƒ¼ã‚¸ãƒ§ãƒ³å ãƒªãƒªãƒ¼ã‚¹æ™‚æœŸ CVE-2014-0160 OpenSSL 1.0.1 2012/03/14 è„†å¼±æ€§ã‚ã‚Š OpenSSL 1.0.1a 2012/04/19 è„†å¼±æ€§ã‚ã‚Š OpenSSL 1.0.1b 2012/04/26 è„†å¼±æ€§ã‚ã‚Š OpenSSL 1.0.1c 2012/05/10 è„†å¼±æ€§ã‚ã‚Š OpenSSL 1.0.1d 2013/02/05 è„†å¼±æ€§ã‚ã‚Š OpenSSL 1.0.1e

naga_sawa 2014/05/17

Heartbleed å•é¡Œã¾ã¨ã‚

ãƒªãƒ³ã‚¯

OpenSSLã®è„†å¼±æ€§ã§æƒ³å®šã•ã‚Œã‚‹ãƒªã‚¹ã‚¯ - ã‚ã‚‚ãŠãã°

JVNã‚„JPCERT/CCã®è¨˜äº‹ãŒã‚ã¾ã‚Šã«ã‚‚ã•ã‚‰ã£ã¨æ›¸ã‹ã‚Œã¦ã„ã¦ã€å…·ä½“çš„ãªãƒªã‚¹ã‚¯ãŒæƒ³åƒã—ã¥ã‚‰ã„ã¨æ€ã†ã®ã§èª¬æ˜Žã—ã¾ã™ã€‚ ä»ŠåŒ—ç”£æ¥ (ä»Šãƒ‹ãƒ¥ãƒ¼ã‚¹è¦‹ã¦æ¥ãŸã‹ã‚‰ä¸‰è¡Œã§æ•™ãˆã¦æ¬²ã—ã„ã¨ã„ã†äººå‘ã‘ã®ã¾ã¨ã‚) ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆä¸Šã®ã€Œæš—å·åŒ–ã€ã«ä½¿ã‚ã‚Œã¦ã„ã‚‹OpenSSLã¨ã„ã†ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ãŒ2å¹´é–“å£Šã‚Œã¦ã„ã¾ã—ãŸã€‚ ã“ã®ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã¯ä¾¿åˆ©ãªã®ã§ã€Facebookã ã¨ã‹YouTubeã ã¨ã‹ã€ã‚ã¡ã“ã¡ã®ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã§ä½¿ã£ã¦ã„ã¾ã—ãŸã€‚ ä»–ã®äººã®å…¥åŠ›ã—ãŸIDã¨ã‹ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã¨ã‹ã‚¯ãƒ¬ã‚«ç•ªå·ã¨ã‹ã‚’ã€æ‚ªã„äººãŒè¦‹ã‚‹ã“ã¨ãŒã§ãã¦ã—ã¾ã„ã¾ã™ã€‚(å®Ÿéš›ã«æ¼ã‚Œã¦ã‚‹ä¾‹) ä»–ã«ã‚‚è‰²ã€…æ¼ã‚Œã¦ã¾ã™ãŒã€ã¨ã‚Šã‚ãˆãšã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ä»¥å¤–ã®äººãŒè¦šãˆã¦ãŠãã¹ãã¯ã“ã“ã¾ã§ã§OKã§ã™ã€‚ã‚‚ã†å°‘ã—åˆ†ã‹ã‚Šã‚„ã™ã„æƒ…å ±ãŒä»¥ä¸‹ã«ã‚ã‚Šã¾ã™ã€‚ OpenSSL ã®è„†å¼±æ€§ã«å¯¾ã™ã‚‹ã€ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆåˆ©ç”¨è€…ï¼ˆä¸€èˆ¬ãƒ¦ãƒ¼ã‚¶ï¼‰ã®å¯¾å¿œã«ã¤ã„ã¦ ã¾ã ç›´ã£ã¦ã„ãªã„ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã‚‚ã‚ã‚Œã°ã€å…ƒã€…å£Šã‚Œã¦ã„ãªã„ã‚¦ã‚§ãƒ–

naga_sawa 2014/05/17

Heartbleed å•é¡Œ

ãƒªãƒ³ã‚¯

CVE-2014-0160 OpenSSL Heartbleed è„†å¼±æ€§ã¾ã¨ã‚ - ã‚ã‚‚ãŠãã°

å¿…è¦ãªæƒ…å ±ã¯ http://heartbleed.com/ ã«ã¾ã¨ã¾ã£ã¦ã„ã‚‹ã®ã§ã™ãŒã€è‹±èªžã ã—é•·ã„ã—ã£ã¦äººã®ãŸã‚ã«æ‰‹çŸã«ã¾ã¨ã‚ã¦ãŠãã¾ã™ã€‚ ã©ã†ã™ã‚Œã°ã„ã„ã®ã‹ OpenSSL 1.0.1ã€œ1.0.1fã‚’ä½¿ã£ã¦ã„ãªã‘ã‚Œã°ã‚»ãƒ¼ãƒ• ã‚ã¦ã¯ã¾ã‚‹å ´åˆã«ã¯ã€ä¸€åˆ»ã‚‚æ—©ããƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—ã—ã¦ã€ã‚µãƒ¼ãƒã”ã¨å†èµ·å‹•(ã‚ã‹ã‚‹ã²ã¨ã¯ã‚µãƒ¼ãƒ“ã‚¹å˜ä½ã§ã‚‚OKã€ãŸã ã—reloadã§ã¯ã ã‚ãªã“ã¨ã‚‚) SSLè¨¼æ˜Žæ›¸ã§ã‚µãƒ¼ãƒã‚’å…¬é–‹ã—ã¦ã„ã‚‹ãªã‚‰ã€ç§˜å¯†éµã‹ã‚‰ä½œã‚Šç›´ã—ã¦è¨¼æ˜Žæ›¸ã‚’å†ç™ºè¡Œã—ã€éŽåŽ»ã®è¨¼æ˜Žæ›¸ã‚’å¤±åŠ¹ã•ã›ã‚‹(æœ«å°¾ã«é–¢é€£ãƒªãƒ³ã‚¯ã‚ã‚Š)ã€‚ ã‚µãƒ¼ãƒã‚’å…¬é–‹ã—ã¦ã„ãªã„å ´åˆã‚‚ã€å¤–éƒ¨ã¸ã®SSLé€šä¿¡ãŒã‚ã‚Œã°å½±éŸ¿ã‚’å—ã‘ã‚‹ã®ã§ã€è©³ã—ãç²¾æŸ»ã™ã‚‹ã€‚ PFS(perfect forward secrecy)ã‚’åˆ©ç”¨ã—ã¦ã„ãªã„å ´åˆã€éŽåŽ»ã®é€šä¿¡å†…å®¹ã‚‚å¾©å·ã•ã‚Œã‚‹å¯èƒ½æ€§ãŒã‚ã‚‹ãŸã‚ã€è©³ã—ãç²¾æŸ»ã™ã‚‹ã€‚ æ¼æ´©ã™ã‚‹æƒ…å ±ã®å…·ä½“ä¾‹ã¯ã€OpenSSLã®è„†å¼±æ€§ã§æƒ³å®šã•ã‚Œã‚‹ãƒªã‚¹ã‚¯ã¨ã—ã¦

naga_sawa 2014/05/17

Heartbleed å•é¡Œã¾ã¨ã‚

ãƒªãƒ³ã‚¯

ã€ŒåŒæ€§æ„›è€…ã¸ã®HIVå•“ç™ºã€å¿…è¦ã‹ã€å…µåº«çœŒè°ãŒç™ºè¨€ï¼šæœæ—¥æ–°èžãƒ‡ã‚¸ã‚¿ãƒ«

ï¼‘ï¼–æ—¥ã«é–‹ã‹ã‚ŒãŸå…µåº«çœŒè°ä¼šã®å§”å“¡ä¼šã§ã€è‡ªæ°‘å…šæ‰€å±žã®äº•ä¸Šè‹±ä¹‹çœŒè°ï¼ˆï¼”ï¼”ï¼‰ãŒç”·æ€§åŒå£«ã®æ€§è¡Œç‚ºã«ã‚ˆã‚‹ï¼¨ï¼©ï¼¶ï¼ˆã‚¨ã‚¤ã‚ºã‚¦ã‚¤ãƒ«ã‚¹ï¼‰æ„ŸæŸ“é˜²æ¢ã«å‘ã‘ãŸçœŒã®å•“ç™ºæ´»å‹•ã‚’ç–‘å•è¦–ã™ã‚‹ç™ºè¨€ã‚’ã—ã¦ã„ãŸã“ã¨ãŒçœŒãªã©ã¸ã®å–æã§åˆ†ã‹ã£ãŸã€‚ã€€äº•ä¸ŠçœŒè°ã¯ã€Œç¤¾ä¼šçš„ã«èªã‚ã‚‹ã¹ãã˜ã‚ƒãªã„ã¨ã„ã„ã¾ã™ã‹ã€è¡Œæ”¿ãŒãƒ›ãƒ¢ã®æŒ‡å°Žã‚’ã™ã‚‹å¿…è¦ãŒã‚ã‚‹ã®ã‹ã€ãªã©ã¨ç™ºè¨€ã—ãŸã¨ã„ã†ã€‚äº•ä¸ŠçœŒè°ã¯å–æã«å¯¾ã—ã€ç™ºè¨€ã—ãŸã“ã¨ã‚’èªã‚ãŸä¸Šã§ã€ã€Œåã£ãŸæ€§å—œå¥½ï¼ˆã—ã“ã†ï¼‰ã§æœ¬æ¥ãƒã‚¤ãƒªã‚¹ã‚¯ã¯æ‰¿çŸ¥ã§ã‚„ã£ã¦ã„ã‚‹äººãŸã¡ã®ã“ã¨ã€‚ä»–ã«ã‚‚é‡è¦èª²é¡ŒãŒã‚ã‚‹ä¸ã€è¡Œæ”¿ãŒçŽ‡å…ˆã—ã¦å¯¾å¿œã™ã‚‹å¿…è¦ã¯ãªã„ã€ã¨è¿°ã¹ãŸã€‚ç™ºè¨€ã®æ’¤å›žãªã©ã¯è€ƒãˆã¦ã„ãªã„ã¨ã„ã†ã€‚

naga_sawa 2014/05/17

åœ°æ–¹ã®40ä»£è‡ªæ°‘è°å“¡ã ã‹ã‚‰ã“ã†ã„ã†æ€æƒ³ãªã®ã‚‚ã‚ã‹ã‚‰ã‚“ã§ã‚‚ãªã„ãŒ/ã€Žã“ã‚Œã«æŠ—è°ã™ã‚‹å¥´ã‚‰ã¯å…¨ã¦å¿Œã‚€ã¹ãåŒæ€§æ„›è€…ã ï¼æ°—è‰²ã®æ‚ªã„ã€ãã‚‰ã„æ€ã£ã¦ã„ã¦ã‚‚ä¸æ€è°ã¯ãªã„/ã“ã‚Œã ã‹ã‚‰ç”°èˆŽè°å“¡ã¯('A`)/åŠ å¤å·ã®äººæ¯ã—ã¦ã‚‹ï½žï¼Ÿ

ãƒªãƒ³ã‚¯

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ã‚¿ã‚°

2014å¹´5æœˆ17æ—¥ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6ä»¶)

ã‚µãƒ¼ãƒ“ã‚¹çµ‚äº†ã®ãŠçŸ¥ã‚‰ã› - NAVER ã¾ã¨ã‚

OpenSSL æƒ…å ±æ¼ãˆã„ã‚’è¨±ã—ã¦ã—ã¾ã†è„†å¼±æ€§ ï½žHeartbleed å•é¡Œï½ž ã«ã¤ã„ã¦

OpenSSLã®è„†å¼±æ€§ï¼ˆCVE-2014-0160ï¼‰é–¢é€£ã®æƒ…å ±ã‚’ã¾ã¨ã‚ã¦ã¿ãŸ - piyolog

OpenSSLã®è„†å¼±æ€§ã§æƒ³å®šã•ã‚Œã‚‹ãƒªã‚¹ã‚¯ - ã‚ã‚‚ãŠãã°

CVE-2014-0160 OpenSSL Heartbleed è„†å¼±æ€§ã¾ã¨ã‚ - ã‚ã‚‚ãŠãã°

ã€ŒåŒæ€§æ„›è€…ã¸ã®HIVå•“ç™ºã€å¿…è¦ã‹ã€å…µåº«çœŒè°ãŒç™ºè¨€ï¼šæœæ—¥æ–°èžãƒ‡ã‚¸ã‚¿ãƒ«

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´12æœˆç¬¬1é€±ï¼‰

æœˆé–“ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆç¬¬5é€±ï¼‰

å…¬å¼Twitter

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹

ã‚¿ã‚°

2014å¹´5æœˆ17æ—¥ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6ä»¶)

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2024å¹´12æœˆç¬¬1é€±ï¼‰

æœˆé–“ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆç¬¬5é€±ï¼‰

å…¬å¼Twitter

ã‚­ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹

2014å¹´5æœˆ17æ—¥ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6ä»¶)

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´12æœˆç¬¬1é€±ï¼‰

æœˆé–“ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆç¬¬5é€±ï¼‰

å…¬å¼Twitter

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹