阿里云漏洞库

漏洞描述

OpenSSL是一款开放源码的SSL实现，用来实现网络通信的高强度加密。

OpenSSL 'no-ssl3' Build Option存在安全绕过漏洞，允许攻击者绕过安全限制，执行未授权的操作。

解决建议

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：
https://www.openssl.org/

参考链接
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq&m=141477196830952&w=2
http://marc.info/?l=bugtraq&m=142103967620673&w=2
http://marc.info/?l=bugtraq&m=142495837901899&w=2
http://marc.info/?l=bugtraq&m=142624590206005&w=2
http://marc.info/?l=bugtraq&m=142791032306609&w=2
http://marc.info/?l=bugtraq&m=142804214608580&w=2
http://marc.info/?l=bugtraq&m=143290437727362&w=2
http://marc.info/?l=bugtraq&m=143290522027658&w=2
http://secunia.com/advisories/59627
http://secunia.com/advisories/61058
http://secunia.com/advisories/61073
http://secunia.com/advisories/61130
http://secunia.com/advisories/61207
http://secunia.com/advisories/61819
http://secunia.com/advisories/61959
http://secunia.com/advisories/62030
http://secunia.com/advisories/62070
http://secunia.com/advisories/62124
http://security.gentoo.org/glsa/glsa-201412-39.xml
http://support.apple.com/HT204244
http://www-01.ibm.com/support/docview.wss?uid=swg21686997
http://www.debian.org/security/2014/dsa-3053
http://www.securityfocus.com/bid/70585
http://www.securitytracker.com/id/1031053
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6
https://exchange.xforce.ibmcloud.com/vulnerabilities/97037
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=26a59d9b46574e45...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n...
https://kc.mcafee.com/corporate/index?page=content&id=SB10091
https://support.apple.com/HT205217
https://support.citrix.com/article/CTX216642
https://www.openssl.org/news/secadv_20141015.txt

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	openssl	openssl	*		Up to (including) 0.9.8zb
	运行在以下环境
	应用	openssl	openssl	1.0.0	-
	运行在以下环境
	应用	openssl	openssl	1.0.0a	-
	运行在以下环境
	应用	openssl	openssl	1.0.0b	-
	运行在以下环境
	应用	openssl	openssl	1.0.0c	-
	运行在以下环境
	应用	openssl	openssl	1.0.0d	-
	运行在以下环境
	应用	openssl	openssl	1.0.0e	-
	运行在以下环境
	应用	openssl	openssl	1.0.0f	-
	运行在以下环境
	应用	openssl	openssl	1.0.0g	-
	运行在以下环境
	应用	openssl	openssl	1.0.0h	-
	运行在以下环境
	应用	openssl	openssl	1.0.0i	-
	运行在以下环境
	应用	openssl	openssl	1.0.0j	-
	运行在以下环境
	应用	openssl	openssl	1.0.0k	-
	运行在以下环境
	应用	openssl	openssl	1.0.0l	-
	运行在以下环境
	应用	openssl	openssl	1.0.0m	-
	运行在以下环境
	应用	openssl	openssl	1.0.0n	-
	运行在以下环境
	应用	openssl	openssl	1.0.1	-
	运行在以下环境
	应用	openssl	openssl	1.0.1a	-
	运行在以下环境
	应用	openssl	openssl	1.0.1b	-
	运行在以下环境
	应用	openssl	openssl	1.0.1c	-
	运行在以下环境
	应用	openssl	openssl	1.0.1d	-
	运行在以下环境
	应用	openssl	openssl	1.0.1e	-
	运行在以下环境
	应用	openssl	openssl	1.0.1f	-
	运行在以下环境
	应用	openssl	openssl	1.0.1g	-
	运行在以下环境
	应用	openssl	openssl	1.0.1h	-
	运行在以下环境
	应用	openssl	openssl	1.0.1i	-
	运行在以下环境
	系统	amazon_AMI	openssl	*		Up to (excluding) 1.0.1j-1.80.amzn1
	运行在以下环境
	系统	debian	DPKG	*		Up to (excluding) 1.0.1j-1
	运行在以下环境
	系统	debian_10	openssl	*		Up to (excluding) 1.0.1j-1
	运行在以下环境
	系统	debian_11	openssl	*		Up to (excluding) 1.0.1j-1
	运行在以下环境
	系统	debian_12	openssl	*		Up to (excluding) 1.0.1j-1
	运行在以下环境
系统	debian_6	openssl	*		Up to (excluding) 0.9.8o-4squeeze18
运行在以下环境
系统	debian_7	openssl	*		Up to (excluding) 1.0.1e-2+deb7u13
运行在以下环境
系统	opensuse_12.3	libopenssl1_0_0-32bit	*		Up to (excluding) 1.0.1j-1.68.1
运行在以下环境
系统	opensuse_13.1	libopenssl1_0_0-32bit	*		Up to (excluding) 1.0.1j-11.56.1
运行在以下环境
系统	opensuse_13.2	libopenssl0_9_8-debugsource	*		Up to (excluding) 0.9.8zh-9.3.1
运行在以下环境
系统	opensuse_Leap_42.1	libopenssl0_9_8	*		Up to (excluding) 0.9.8zh-14.1
运行在以下环境
系统	suse_11_SP2	openssl-doc	*		Up to (excluding) 0.9.8j-0.50.1
运行在以下环境
系统	suse_11_SP3	openssl	*		Up to (excluding) 0.9.8j-0.66.1
运行在以下环境
系统	suse_12	libopenssl1_0_0	*		Up to (excluding) 4.8.6-7.1
运行在以下环境
系统	suse_12_SP1	libqt4-x11-32bit	*		Up to (excluding) 4.8.6-7.1
运行在以下环境
系统	ubuntu_12.04.5_lts	openssl	*		Up to (excluding) 1.0.1-4ubuntu5.20
运行在以下环境
系统	ubuntu_14.04	openssl	*		Up to (excluding) 1.0.1f-1ubuntu2.7
运行在以下环境
系统	ubuntu_14.04.6_lts	openssl	*		Up to (excluding) 1.0.1f-1ubuntu2.7
运行在以下环境
系统	ubuntu_16.04	openssl	*		Up to (excluding) 1.0.1f-1ubuntu9
运行在以下环境
系统	ubuntu_16.04.7_lts	openssl	*		Up to (excluding) 1.0.1f-1ubuntu9
运行在以下环境
系统	ubuntu_18.04	openssl	*		Up to (excluding) 1.0.1f-1ubuntu9
运行在以下环境
系统	ubuntu_18.04.5_lts	openssl	*		Up to (excluding) 1.0.1f-1ubuntu9
运行在以下环境
系统	ubuntu_18.10	openssl	*		Up to (excluding) 1.0.1f-1ubuntu9

攻击路径

远程
攻击复杂度

复杂
权限要求

无需权限
影响范围

越权影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

数据泄露
数据完整性

传输被破坏
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型

中危 Apple Xcode 至 6.4 IDE Xcode Server 加密问题漏洞

漏洞描述

解决建议

参考链接

受影响软件情况