8. <definition class="patch" id="oval:com.redhat.rhsa:def:20140679" version="601">
<metadata>
<title>RHSA-2014:0679: openssl security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0679-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0679.html" source="RHSA"/>
<reference ref_id="CVE-2010-5298" ref_url="https://www.redhat.com/security/data/cve/CVE-2010-5298.html" source="CVE"/>
~~~
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
It was found that OpenSSL clients and servers could be forced, via a
specially crafted handshake packet, to use weak keying material for
communication. A man-in-the-middle attacker could use this flaw to decrypt
and modify traffic between a client and a server. (CVE-2014-0224)
~~~
All OpenSSL users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all services linked to the OpenSSL library (such as httpd and other
SSL-enabled services) must be restarted or the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve cvss2="4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P" cwe="CWE-416" href="https://www.redhat.com/security/data/cve/CVE-2010-5298.html" impact="moderate" public="20140408">CVE-2010-5298</cve>
<cve cvss2="5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N" cwe="CWE-119" href="https://www.redhat.com/security/data/cve/CVE-2014-0195.html" public="20140605">CVE-2014-0195</cve>
<cve cvss2="4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P" cwe="CWE-476" href="https://www.redhat.com/security/data/cve/CVE-2014-0198.html" impact="moderate" public="20140421">CVE-2014-0198</cve>
<cve cvss2="4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P" cwe="CWE-400" href="https://www.redhat.com/security/data/cve/CVE-2014-0221.html" impact="moderate" public="20140605">CVE-2014-0221</cve>
<cve cvss2="5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N" cwe="CWE-841" href="https://www.redhat.com/security/data/cve/CVE-2014-0224.html" public="20140605">CVE-2014-0224</cve>
<cve cvss2="4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P" cwe="CWE-476" href="https://www.redhat.com/security/data/cve/CVE-2014-3470.html" impact="moderate" public="20140605">CVE-2014-3470</cve>
<bugzilla href="https://bugzilla.redhat.com/1087195" id="1087195">CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1093837" id="1093837">CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference in do_ssl3_write()</bugzilla>
~~~
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679011"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679007"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679009"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator=“AND">
~~~
=== <criterion comment="openssl is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679005"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679013"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
OVAL一部抜粋
該当するCveID
Cveに該当する条件
9. <criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:
20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:
20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed"
test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed"
test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:
20140679011"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key"
test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:
20140679007"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key"
test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:
20140679009"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key"
test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator=“AND">
~~~
criteria拡大
Vulsがスキャン対象サーバ上で取得
# rpm -qa | grep openssl
openssl-static-1.0.0k-1.el7.x86_64
Vulsはサーバ上のバージョンが修正バー
ジョンより古い場合、脆弱性があると判断