Ò»�¡¢�¡¢¡¢Åä¾°½éÉÜ
3ÔÂ29ÈÕ�£¬�£¬�£¬ÊÐίÍøÐÅ°ìÊÖÒÕÖ§³Öµ¥Î»¼à²âµ½OpenSSLÐû²¼Çå¾²¸üзçÏÕͨ¸æ�£¬�£¬�£¬ÐÞ¸´ÁËOpenSSL²úÆ·ÖеÄÒ»¸ö¾Ü¾ø·þÎñÎó²îºÍÒ»¸öÖ¤ÊéÑéÖ¤ÈƹýÎó²î£¨CVE-2021-3449�¡¢�¡¢¡¢CVE-2021-3450£©�¡£�¡£�¡£
1.1 Îó²îÐÎò
OpenSSLÊÇÒ»¸ö¿ª·ÅÔ´´úÂëµÄÈí¼þ¿â°ü�£¬�£¬�£¬Ó¦ÓóÌÐò¿ÉÒÔʹÓÃÕâ¸ö°üÀ´¾ÙÐÐÇ徲ͨѶ�£¬�£¬�£¬Í¬Ê±È·ÈÏÅþÁ¬ÕßÉí·Ý�¡£�¡£�¡£Õâ¸ö°üÆձ鱻ӦÓÃÔÚ»¥ÁªÍøµÄÍøÒ³·þÎñÆ÷ÉÏ�¡£�¡£�¡£
1�¡¢�¡¢¡¢¾Ü¾ø·þÎñÎó²î
ÔÚÖØÐÂÎÕÊÖÀú³ÌÖÐ�£¬�£¬�£¬tls1_set_shared_sigalgs()»áŲÓÃtls12_shared_sigalgs()ÓëÉÏÒ»¸öµÄpeer_sigalgslenÎÕÊÖ�£¬�£¬�£¬¿ÉÊÇÉÏÒ»´ÎÊÍ·ÅÄÚ´æʱûÓÐÖØÖñäÁ¿peer_sigalgslen�£¬�£¬�£¬µ¼Ö tls12_shared_sigalgs()±éÀú peer_sigalgsʱ·ºÆð¿ÕÖ¸Õë½âÒýÓùýʧ�¡£�¡£�¡£²¹¶¡ÔÚÊÍ·Åpeer_sigalgsÄÚ´æʱ�£¬�£¬�£¬ÉèÖÃpeer_sigalgslen±äÁ¿Îª0ÔÙ´ÎÎÕÊÖʱÒÔΪÉÏÒ»´ÎµÄ peer_sigalgslen ²»¿ÉÓÃ�£¬�£¬�£¬¼´²»»á±¬·¢¿ÕÖ¸Õë½âÒýÓÃ�¡£�¡£�¡£
2�¡¢�¡¢¡¢Ö¤ÊéÑéÖ¤ÈƹýÎó²î
ÔÚ¿ªÆô X509_V_FLAG_X509_STRICT Ñ¡ÏîµÄopenssl·þÎñÆ÷ÉÏ�£¬�£¬�£¬ÓÉÓÚOpenSSL¶ÔX.509Ö¤ÊéÁ´µÄÑéÖ¤Âß¼Öб£´æÎÊÌâ�£¬�£¬�£¬µ¼ÖÂÊÜÓ°ÏìµÄϵͳ½ÓÊÜÓÉ·Ç CA Ö¤Êé»òÖ¤ÊéÁ´ÊðÃûµÄÓÐÓÃÖ¤Êé�¡£�¡£�¡£¹¥»÷Õß¿ÉÒÔͨ¹ýʹÓÃÈκÎÓÐÓõÄÖ¤Êé»òÖ¤ÊéÁ´À´ÊðÃûÈ«ÐÄÖÆ×÷µÄÖ¤ÊéÀ´Ê¹ÓôËÎó²î�¡£�¡£�¡£´Ó¶øʵÏÖÄÜʹ¹¥»÷ÕßÄܹ»¾ÙÐÐÖÐÐÄÈË£¨MiTM£©¹¥»÷²¢»ñÈ¡Ãô¸ÐÐÅÏ¢(ÀýÈç�£º»á¼ûÊÜÖ¤ÊéÉí·ÝÑéÖ¤±�£»�£»¤µÄÍøÂç»ò×ʲú�£¬�£¬�£¬ÇÔÌý¼ÓÃÜͨѶÄÚÈÝ)�¡£�¡£�¡£
1.2 Îó²î±àºÅ
CVE-2021-3449
CVE-2021-3450
1.3 Îó²îÆ·¼¶
¸ßΣ
¶þ�¡¢�¡¢¡¢ÐÞ¸´½¨Òé
2.1 ÊÜÓ°Ïì°æ±¾
ËùÓÐ OpenSSL1.1.1°æ�¡£�¡£�¡£
OpenSSL1.0.2²»ÊÜ´ËÎÊÌâÓ°Ïì�¡£�¡£�¡£
2.2 ÐÞ¸´½¨Òé
OpenSSLÒѾÐû²¼ÁËÇå¾²¸üÐÂ�£¬�£¬�£¬½¨ÒéÊÜÓ°ÏìÓû§¾¡¿ìÉý¼¶µ½ openssl1.1.1k°æ±¾�¡£�¡£�¡£
