低危 OpenSSL:CVE-2020-1971 EDIPARTYNAME 空指针间接引用

CVE编号

CVE-2020-1971

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2021-10-12
漏洞描述
OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL 1.1.1版本和1.0.2版本存在安全漏洞,该漏洞源于空指针解引用和崩溃可能会导致拒绝服务攻击。

解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
http://www.openwall.com/lists/oss-security/2021/09/14/2
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14e...
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215eb...
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676
https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a67989...
https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a...
https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html
https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1971
https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc
https://security.gentoo.org/glsa/202012-13
https://security.netapp.com/advisory/ntap-20201218-0005/
https://security.netapp.com/advisory/ntap-20210513-0002/
https://www.debian.org/security/2020/dsa-4807
https://www.openssl.org/news/secadv/20201208.txt
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.tenable.com/security/tns-2020-11
https://www.tenable.com/security/tns-2021-09
https://www.tenable.com/security/tns-2021-10
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 openssl openssl * From
(including)
1.0.2 		Up to
(including)
1.0.2w
运行在以下环境
应用 openssl openssl * From
(including)
1.1.1 		Up to
(including)
1.1.1h
运行在以下环境
系统 alibaba_cloud_linux_2.1903 openssl * Up to
(excluding)
1.0.2k-21.1.al7
运行在以下环境
系统 alibaba_cloud_linux_3 openssl * Up to
(excluding)
1.1.1g-12.1.al8
运行在以下环境
系统 alpine_3.10 openssl * Up to
(excluding)
1.1.1i-r0
运行在以下环境
系统 alpine_3.11 openssl * Up to
(excluding)
1.1.1i-r0
运行在以下环境
系统 alpine_3.12 openssl * Up to
(excluding)
1.1.1i-r0
运行在以下环境
系统 alpine_3.13 openssl * Up to
(excluding)
3.1.5-r0
运行在以下环境
系统 alpine_3.14 openssl * Up to
(excluding)
3.1.5-r0
运行在以下环境
系统 alpine_3.15 openssl * Up to
(excluding)
3.1.5-r0
运行在以下环境
系统 alpine_3.16 openssl * Up to
(excluding)
3.1.5-r0
运行在以下环境
系统 alpine_3.17 openssl * Up to
(excluding)
3.1.5-r0
运行在以下环境
系统 alpine_3.18 openssl * Up to
(excluding)
3.1.5-r0
运行在以下环境
系统 alpine_3.19 openssl * Up to
(excluding)
3.1.5-r0
运行在以下环境
系统 alpine_3.9 openssl * Up to
(excluding)
1.1.1i-r0
运行在以下环境
系统 amazon_2 openssl * Up to
(excluding)
1.0.2k-19.amzn2.0.4
运行在以下环境
系统 amazon_AMI openssl * Up to
(excluding)
1.0.2k-16.152.amzn1
运行在以下环境
系统 centos_7 openssl * Up to
(excluding)
1.0.2k-21.el7_9
运行在以下环境
系统 debian_10 openssl * Up to
(excluding)
1.1.1d-0+deb10u4
运行在以下环境
系统 debian_11 openssl * Up to
(excluding)
1.1.1i-1
运行在以下环境
系统 debian_12 openssl * Up to
(excluding)
1.1.1i-1
运行在以下环境
系统 debian_9 openssl * Up to
(excluding)
1.1.0l-1~deb9u2
运行在以下环境
系统 fedora_32 openssl * Up to
(excluding)
1.1.1i-1.fc32
运行在以下环境
系统 fedora_33 openssl * Up to
(excluding)
1.1.1i-1.fc33
运行在以下环境
系统 fedora_EPEL_7 openssl11 * Up to
(excluding)
1.1.1g-2.el7
运行在以下环境
系统 kylinos_aarch64_V10 openssl * Up to
(excluding)
1.0.2k-21.el7_9.ns7.01
运行在以下环境
系统 kylinos_aarch64_V10SP1 shim * Up to
(excluding)
15-23.p01.ky10
运行在以下环境
系统 kylinos_aarch64_V10SP2 shim * Up to
(excluding)
15-23.p01.ky10
运行在以下环境
系统 kylinos_loongarch64_V10SP1 openssl * Up to
(excluding)
1.1.1f-4.p09.a.ky10
运行在以下环境
系统 kylinos_x86_64_V10 openssl * Up to
(excluding)
1.0.2k-21.el7_9.ns7.01
运行在以下环境
系统 kylinos_x86_64_V10SP1 shim * Up to
(excluding)
15-23.p01.ky10
运行在以下环境
系统 kylinos_x86_64_V10SP2 shim * Up to
(excluding)
15-23.p01.ky10
运行在以下环境
系统 opensuse_Leap_15.1 npm10 * Up to
(excluding)
10.23.1-lp151.2.15.1
运行在以下环境
系统 opensuse_Leap_15.2 npm10 * Up to
(excluding)
10.23.1-lp152.2.9.1
运行在以下环境
系统 opensuse_Leap_15.4 exiv2 * Up to
(excluding)
0.27.5-150400.15.4.1
运行在以下环境
系统 oracle_6 openssl * Up to
(excluding)
1.0.1e-59.0.1.el6_10
运行在以下环境
系统 oracle_7 openssl * Up to
(excluding)
1.0.2k-21.el7_9
运行在以下环境
系统 oracle_8 openssl * Up to
(excluding)
1.1.1g-12.el8_3
运行在以下环境
系统 redhat_7 openssl * Up to
(excluding)
1.0.2k-21.el7_9
运行在以下环境
系统 redhat_8 openssl * Up to
(excluding)
1.1.1g-12.el8_3
运行在以下环境
系统 suse_12_SP5 openssl-1_1 * Up to
(excluding)
1.1.1d-2.27.1
运行在以下环境
系统 ubuntu_16.04 openssl * Up to
(excluding)
1.0.2g-1ubuntu4.18
运行在以下环境
系统 ubuntu_18.04 openssl * Up to
(excluding)
1.1.1-1ubuntu2.1~18.04.7
运行在以下环境
系统 ubuntu_20.04 openssl * Up to
(excluding)
1.1.1f-1ubuntu2.1
阿里云评分
2.7
  • 攻击路径
    远程
  • 攻击复杂度
    困难
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    POC 已公开
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    100
CWE-ID 漏洞类型
CWE-476 空指针解引用
阿里云安全产品覆盖情况