OpenSSL¿¡¼ ¹ß»ýÇÑ ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡, Ǫµé µî 4°³ Ãë¾àÁ¡
Áö½ÃµÈ ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®Çϸé Ãë¾àÁ¡ ÇØ°á °¡´É
[º¸¾È´º½º ¹Î¼¼¾Æ] OpenSSL¿¡¼ ¹ß»ýÇÑ ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡, Ǫµé(Poodle, Padding Oracle On Downloaded Legacy Encryption) Ãë¾àÁ¡ µî ÃÑ 4°³ÀÇ Ãë¾àÁ¡À» º¸¿ÏÇÑ º¸¾È¾÷µ¥ÀÌÆ®¸¦ ¹ßÇ¥Çß´Ù.
4°³ÀÇ Ãë¾àÁ¡Àº ´ÙÀ½°ú °°´Ù. ¡âDTLS SRTP Çڵ彦ÀÌÅ© ¸Þ½ÃÁö¸¦ ó¸®ÇÏ´Â Áß ¹ß»ýÇÏ´Â ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡(CVE-2014-3513) ¡âSSL/TLS/DTLS ¼¹ö¿¡¼ session ticket °ªÀ» ¹ÞÀ» ¶§ ¹ß»ýÇÏ´Â ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡(CVE-2014-3567) ¡âSSL3.0¿¡¼ ´Ù¿î ±×·¹À̵带 ÅëÇØ MITM(man-in-the-middle)°ø°ÝÀ» °¡´ÉÇÏ°Ô Çϴ Ǫµé(Poodle, Padding Oracle On Downloaded Legacy Encryption) Ãë¾àÁ¡(CVE-2014-3566) ¡âOpenSSL build optionÀÎ no-ssl3¿¡¼ ¹ß»ýÇÑ Ãë¾àÁ¡(CVE-2014-3568)
¿µÇâ ¹Þ´Â Á¦Ç° ¹× ¹öÀüÀº ¡âOpenSSL 0.9.8 ´ë ¹öÀü ¡âOpenSSL 1.0.0 ´ë ¹öÀü ¡âOpenSSL 1.0.1 ´ë ¹öÀüÀÌ´Ù.
ÇØ´ç Ãë¾àÁ¡¿¡ ¿µÇâ ¹Þ´Â ¹öÀüÀÇ »ç¿ëÀÚ´Â ¾Æ·¡ ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®Çϸé ÇØ°á °¡´ÉÇÏ´Ù.
- OpenSSL 0.9.8 »ç¿ëÀÚ : 0.9.8zc·Î ¾÷µ¥ÀÌÆ®
- OpenSSL 1.0.0 »ç¿ëÀÚ : 1.0.0o·Î ¾÷µ¥ÀÌÆ®
- OpenSSL 1.0.1 »ç¿ëÀÚ : 1.0.1j·Î ¾÷µ¥ÀÌÆ®
±âŸ ¹®ÀÇ»çÇ×Àº Çѱ¹ÀÎÅͳÝÁøÈï¿ø ÀÎÅͳÝħÇØ´ëÀÀ¼¾ÅÍ(±¹¹ø¾øÀÌ 118)³ª ¾Æ·¡ÀÇ Âü°í»çÀÌÆ®¸¦ È®ÀÎÇÏ¸é µÈ´Ù.
[Âü°í»çÀÌÆ®]
[1] https://www.openssl.org/news/secadv_20141015.txt
[2] https://www.openssl.org/
[¿ë¾î ¼³¸í]
DTLS(Datagram Transport Layer Security) : µ¥ÀÌÅÍ ±×·¥ Àü¼Û°èÃþÀ» º¸È£Çϱâ À§ÇÑ UDP ±â¹Ý TLS ÇÁ·ÎÅäÄÝ
SRTP(Secure Real-time Transport Protocol) : ½Ç½Ã°£À¸·Î Àü¼ÛµÇ´Â ¸ÖƼ¹Ìµð¾î µ¥ÀÌÅ͸¦ ¾ÏÈ£ÈÇÏ¿© ¼Û¼ö½ÅÇÏ´Â ÇÁ·ÎÅäÄÝ
[¹Î¼¼¾Æ ±âÀÚ(boan5@boannews.com)]
<ÀúÀÛ±ÇÀÚ: º¸¾È´º½º(http://www.boannews.com/) ¹«´ÜÀüÀç-Àç¹èÆ÷±ÝÁö>