Amaran Untuk Pentadbir Sistem Laman Web : OpenSSL Heartbleed Information Disclosure Vulnerability
08 April 2014 | Label: Keselamatan, OWASP | |
Amaran Untuk Pentadbir Sistem Laman Web : OpenSSL Heartbleed Information Disclosure Vulnerability
[HIGH ALERT] Status SEGERA dan KRITIKAL.
Semua laman web HTTPS, yang menggunakan OpenSSL sama ada Apache, Nginx dan lain-lain, dalam Linux atau Windows, XAMPP. Sila segerakan kemasan (upgrade).
Rujukan
https://www.openssl.org/news/secadv_20140407.txt
Amaran dari MyCERT http://www.mycert.org.my/en/services/advisories/mycert/2014/main/detail/963/index.html
Pengesanan
Saya gunakan https://www.ssllabs.com/ssltest/ untuk periksa OpenSSL apa yang digunakan.
Selepas keputusan keluar gunakan fungsi find (CTRL dan F) dalam page result, cari OpenSSL. Apa jua versi 1.0.1 perlu kemasan ke 1.0.1g
Bacaan lanjut
http://heartbleed.com/
Bantuan
Pertanyaan dan panduan boleh berbincang di Perbincangan OWASP.my di Facebook
https://www.facebook.com/groups/owaspmy/
Sebaran oleh Harisfazillah Jamel (LinuxMalaysia)
8 Apr 2014
OpenSSL Security Advisory [07 Apr 2014]
TLS heartbeat read overrun (CVE-2014-0160)
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
