{"id":29097,"date":"2022-04-29T11:38:20","date_gmt":"2022-04-29T11:38:20","guid":{"rendered":"https:\/\/www.egroup.hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/"},"modified":"2022-04-29T12:20:34","modified_gmt":"2022-04-29T12:20:34","slug":"uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel","status":"publish","type":"post","link":"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/","title":{"rendered":"\u00daj s\u00e9r\u00fcl\u00e9kenys\u00e9get \u00e9szleltek a digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l"},"content":{"rendered":"\n<p>A digit\u00e1lis al\u00e1\u00edr\u00e1sokhoz alkalmazott kriptogr\u00e1fiai m\u0171veletekn\u00e9l haszn\u00e1lt elliptikus g\u00f6rb\u00e9kkel a nagyoknak is meggy\u0171lik a baja: a Microsoft Windows CryptoAPI-t \u00e9rint\u0151 kor\u00e1bbi hiba ut\u00e1n most, 2022 \u00e1prilis 19-ei bejelent\u00e9ssel az Oracle Java SE keretrendszer is elesett. Az E-Group kriptogr\u00e1fiai szak\u00e9rt\u0151i elemezt\u00e9k a hib\u00e1t, amely azonnali beavatkoz\u00e1st ig\u00e9nyel.<\/p>\n\n<p>A hibajegy (CVE-2022-21449) szerint az Oracle t\u00f6bb megold\u00e1s\u00e1n\u00e1l, k\u00f6z\u00f6tt\u00fck az Oracle Java SE keretrendszern\u00e9l s\u00e9r\u00fcl\u00e9kenys\u00e9g tal\u00e1lhat\u00f3 az ECDSA digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l.<\/p>\n\n<p>A CVE\/NVD le\u00edr\u00e1sok \u00e9s egy\u00e9b elemz\u00e9sek szerint a hiba egy 0 \u00e9rt\u00e9kre val\u00f3 vizsg\u00e1lat hi\u00e1ny\u00e1b\u00f3l fakad az elliptikus g\u00f6rb\u00e9s digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l (vagyis a pl. NIST P-256 g\u00f6rb\u00e9n alapul\u00f3 ECDSA al\u00e1\u00edr\u00e1sok ASN.1(r,s) vagy nyers (r,s) \u00e9rt\u00e9kein\u00e9l). &#13;\nA felhaszn\u00e1l\u00f3k ritk\u00e1n tal\u00e1lkoznak ilyen al\u00e1\u00edr\u00e1si m\u0171veletekkel k\u00f6zvetlen\u00fcl, azonban a h\u00e1tt\u00e9rben sz\u00e1mtalan esetben j\u00f6nnek l\u00e9tre \u00e9s ker\u00fclnek ellen\u0151rz\u00e9se ilyen adatok, mint pl.:&#13;\n<\/p>\n\n<ul><li>OASIS SAML protokoll XML Signature r\u00e9tegein\u00e9l, OpenID Connect protokoll JWS (al\u00e1\u00edrt JWT) adatain\u00e1l (pl. 3rd party Single Sign-On rendszerekn\u00e9l);<\/li><li>\u00e1llom\u00e1nyok al\u00e1\u00edr\u00e1sain\u00e1l (pl. chipk\u00e1rty\u00e1val hiteles\u00edtett dokumentumokn\u00e1l, X.509 tan\u00fas\u00edtv\u00e1nyokn\u00e1l vagy rendszer\u00e1llom\u00e1nyok v\u00e9delm\u00e9n\u00e9l, amiket r\u00e1ad\u00e1sul SIEM\/SOC rendszerek is monitoroznak \u00e9s riasztanak, ha rendelleness\u00e9get \u00e9szlelnek);<\/li><li>SSL\/TLS handshake, azaz rejtjelezett kommunik\u00e1ci\u00f3s csatorn\u00e1k fel\u00e9p\u00edt\u00e9s\u00e9n\u00e9l;<\/li><\/ul>\n<p><strong>Ezek csak a legfontosabb ter\u00fcletek, de m\u00e1s protokollok, adatstrukt\u00far\u00e1k is \u00e9rintettek.<\/strong><\/p>\n\n<p>Az elemz\u00e9seink sor\u00e1n saj\u00e1t k\u00f3dot haszn\u00e1lva, k\u00fcl\u00f6nb\u00f6z\u0151 Oracle Java SE verzi\u00f3k \u00e9rintetts\u00e9g\u00e9t vizsg\u00e1ltuk, t\u00f6bbf\u00e9le adatstrukt\u00fara eset\u00e9n. Ezek alapj\u00e1n meg tudjuk er\u0151s\u00edteni, hogy a kor\u00e1bbi, sok legacy rendszern\u00e9l haszn\u00e1lt Oracle Java SE 8 nem \u00e9rintett, viszont a t\u00e1mogatott (LTS) verzi\u00f3k k\u00f6z\u00fcl az Oracle Java SE 17.0.2 \u00e9s \u00fajabb v\u00e1ltozatai mind tartalmazz\u00e1k a kihaszn\u00e1lhat\u00f3 s\u00e9r\u00fcl\u00e9kenys\u00e9get, am\u00edg a 2022 \u00e1prilisi security patch nem ker\u00fcl telep\u00edt\u00e9sre.<\/p>\n\n<p>Egy adott rendszer \u00e9rintetts\u00e9ge azonban nem \u00e1llap\u00edthat\u00f3 meg k\u00f6nnyen. A s\u00e9r\u00fcl\u00e9kenys\u00e9g kihaszn\u00e1l\u00e1sa ugyanis nem csak az ECDSA al\u00e1\u00edr\u00e1st ellen\u0151rz\u0151 f\u00e9l oldal\u00e1n fut\u00f3 Java verzi\u00f3t\u00f3l (pl. Oracle Java SE 17.0.2), hanem az \u00e1ltala haszn\u00e1lt crypto library-t\u0151l is f\u00fcgg (pl. A Bouncy Castle vagy az Apache Santuario nem \u00e9rintett). A kommunik\u00e1ci\u00f3ban r\u00e9sztvev\u0151 felekn\u00e9l &#8211; szerverekn\u00e9l, kliensekn\u00e9l (els\u0151sorban g\u00e9pi interf\u00e9szt haszn\u00e1l\u00f3 Java kliensekn\u00e9l) &#8211; a fel\u00fclvizsg\u00e1lat az \u00fczemeltet\u00e9s, illetve esetlegesen a fejleszt\u0151k bevon\u00e1s\u00e1val lehets\u00e9ges csak, de a l\u00e9nyeg, hogy mindenk\u00e9ppen hibamentes Java verzi\u00f3ra \u00e9s crypto library-re kell mihamarabb \u00e1tt\u00e9rni.<\/p>\n\n<p>Mindenkinek javasoljuk a fejleszt\u0151ivel val\u00f3 egyeztet\u00e9st, vagy ak\u00e1r az E-Group szakmailag felk\u00e9sz\u00fclt kriptogr\u00e1fiai csapata is sz\u00edvesen vesz minden megkeres\u00e9st.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A digit\u00e1lis al\u00e1\u00edr\u00e1sokhoz alkalmazott kriptogr\u00e1fiai m\u0171veletekn\u00e9l haszn\u00e1lt elliptikus g\u00f6rb\u00e9kkel a nagyoknak is meggy\u0171lik a baja: s\u00e9r\u00fcl\u00e9kenys\u00e9get tal\u00e1ltak az Oracle Java SE keretrendszerben. Az E-Group kriptogr\u00e1fiai szak\u00e9rt\u0151i elemezt\u00e9k a hib\u00e1t, amely azonnali beavatkoz\u00e1st ig\u00e9nyel.<\/p>\n","protected":false},"author":10,"featured_media":29092,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[90],"tags":[510,511,512,466],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.12 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>\u00daj s\u00e9r\u00fcl\u00e9kenys\u00e9get \u00e9szleltek a digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l - E-Group<\/title>\n<meta name=\"description\" content=\"A digit\u00e1lis al\u00e1\u00edr\u00e1sokhoz alkalmazott kriptogr\u00e1fiai m\u0171veletekn\u00e9l haszn\u00e1lt elliptikus g\u00f6rb\u00e9kkel a nagyoknak is meggy\u0171lik a baja: s\u00e9r\u00fcl\u00e9kenys\u00e9get tal\u00e1ltak az Oracle Java SE keretrendszerben. Az E-Group kriptogr\u00e1fiai szak\u00e9rt\u0151i elemezt\u00e9k a hib\u00e1t, amely azonnali beavatkoz\u00e1st ig\u00e9nyel.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/\" \/>\n<meta property=\"og:locale\" content=\"hu_HU\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u00daj s\u00e9r\u00fcl\u00e9kenys\u00e9get \u00e9szleltek a digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l - E-Group\" \/>\n<meta property=\"og:description\" content=\"A digit\u00e1lis al\u00e1\u00edr\u00e1sokhoz alkalmazott kriptogr\u00e1fiai m\u0171veletekn\u00e9l haszn\u00e1lt elliptikus g\u00f6rb\u00e9kkel a nagyoknak is meggy\u0171lik a baja: s\u00e9r\u00fcl\u00e9kenys\u00e9get tal\u00e1ltak az Oracle Java SE keretrendszerben. Az E-Group kriptogr\u00e1fiai szak\u00e9rt\u0151i elemezt\u00e9k a hib\u00e1t, amely azonnali beavatkoz\u00e1st ig\u00e9nyel.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/\" \/>\n<meta property=\"og:site_name\" content=\"E-Group\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-29T11:38:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-29T12:20:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.egroup.hu\/wp-content\/uploads\/2022\/04\/security-risk-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Attila Galambos\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Szerz\u0151:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Attila Galambos\" \/>\n\t<meta name=\"twitter:label2\" content=\"Becs\u00fclt olvas\u00e1si id\u0151\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 perc\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/\",\"url\":\"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/\",\"name\":\"\u00daj s\u00e9r\u00fcl\u00e9kenys\u00e9get \u00e9szleltek a digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l - E-Group\",\"isPartOf\":{\"@id\":\"https:\/\/www.egroup.hu\/hu\/#website\"},\"datePublished\":\"2022-04-29T11:38:20+00:00\",\"dateModified\":\"2022-04-29T12:20:34+00:00\",\"author\":{\"@id\":\"https:\/\/www.egroup.hu\/hu\/#\/schema\/person\/85ccdf98d12c0f540419cdfc0ce99ecf\"},\"description\":\"A digit\u00e1lis al\u00e1\u00edr\u00e1sokhoz alkalmazott kriptogr\u00e1fiai m\u0171veletekn\u00e9l haszn\u00e1lt elliptikus g\u00f6rb\u00e9kkel a nagyoknak is meggy\u0171lik a baja: s\u00e9r\u00fcl\u00e9kenys\u00e9get tal\u00e1ltak az Oracle Java SE keretrendszerben. Az E-Group kriptogr\u00e1fiai szak\u00e9rt\u0151i elemezt\u00e9k a hib\u00e1t, amely azonnali beavatkoz\u00e1st ig\u00e9nyel.\",\"inLanguage\":\"hu\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.egroup.hu\/hu\/#website\",\"url\":\"https:\/\/www.egroup.hu\/hu\/\",\"name\":\"E-Group\",\"description\":\"E-Group ICT Software\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.egroup.hu\/hu\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"hu\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.egroup.hu\/hu\/#\/schema\/person\/85ccdf98d12c0f540419cdfc0ce99ecf\",\"name\":\"Attila Galambos\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"hu\",\"@id\":\"https:\/\/www.egroup.hu\/hu\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/38dddd69b34866fefb46c0d03ae72b8f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/38dddd69b34866fefb46c0d03ae72b8f?s=96&d=mm&r=g\",\"caption\":\"Attila Galambos\"},\"url\":\"https:\/\/www.egroup.hu\/hu\/author\/attila_galambos\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u00daj s\u00e9r\u00fcl\u00e9kenys\u00e9get \u00e9szleltek a digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l - E-Group","description":"A digit\u00e1lis al\u00e1\u00edr\u00e1sokhoz alkalmazott kriptogr\u00e1fiai m\u0171veletekn\u00e9l haszn\u00e1lt elliptikus g\u00f6rb\u00e9kkel a nagyoknak is meggy\u0171lik a baja: s\u00e9r\u00fcl\u00e9kenys\u00e9get tal\u00e1ltak az Oracle Java SE keretrendszerben. Az E-Group kriptogr\u00e1fiai szak\u00e9rt\u0151i elemezt\u00e9k a hib\u00e1t, amely azonnali beavatkoz\u00e1st ig\u00e9nyel.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/","og_locale":"hu_HU","og_type":"article","og_title":"\u00daj s\u00e9r\u00fcl\u00e9kenys\u00e9get \u00e9szleltek a digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l - E-Group","og_description":"A digit\u00e1lis al\u00e1\u00edr\u00e1sokhoz alkalmazott kriptogr\u00e1fiai m\u0171veletekn\u00e9l haszn\u00e1lt elliptikus g\u00f6rb\u00e9kkel a nagyoknak is meggy\u0171lik a baja: s\u00e9r\u00fcl\u00e9kenys\u00e9get tal\u00e1ltak az Oracle Java SE keretrendszerben. Az E-Group kriptogr\u00e1fiai szak\u00e9rt\u0151i elemezt\u00e9k a hib\u00e1t, amely azonnali beavatkoz\u00e1st ig\u00e9nyel.","og_url":"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/","og_site_name":"E-Group","article_published_time":"2022-04-29T11:38:20+00:00","article_modified_time":"2022-04-29T12:20:34+00:00","og_image":[{"width":1920,"height":1280,"url":"https:\/\/www.egroup.hu\/wp-content\/uploads\/2022\/04\/security-risk-1.jpg","type":"image\/jpeg"}],"author":"Attila Galambos","twitter_card":"summary_large_image","twitter_misc":{"Szerz\u0151:":"Attila Galambos","Becs\u00fclt olvas\u00e1si id\u0151":"3 perc"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/","url":"https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/","name":"\u00daj s\u00e9r\u00fcl\u00e9kenys\u00e9get \u00e9szleltek a digit\u00e1lis al\u00e1\u00edr\u00e1sok ellen\u0151rz\u00e9s\u00e9n\u00e9l - E-Group","isPartOf":{"@id":"https:\/\/www.egroup.hu\/hu\/#website"},"datePublished":"2022-04-29T11:38:20+00:00","dateModified":"2022-04-29T12:20:34+00:00","author":{"@id":"https:\/\/www.egroup.hu\/hu\/#\/schema\/person\/85ccdf98d12c0f540419cdfc0ce99ecf"},"description":"A digit\u00e1lis al\u00e1\u00edr\u00e1sokhoz alkalmazott kriptogr\u00e1fiai m\u0171veletekn\u00e9l haszn\u00e1lt elliptikus g\u00f6rb\u00e9kkel a nagyoknak is meggy\u0171lik a baja: s\u00e9r\u00fcl\u00e9kenys\u00e9get tal\u00e1ltak az Oracle Java SE keretrendszerben. Az E-Group kriptogr\u00e1fiai szak\u00e9rt\u0151i elemezt\u00e9k a hib\u00e1t, amely azonnali beavatkoz\u00e1st ig\u00e9nyel.","inLanguage":"hu","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.egroup.hu\/hu\/uj-serulekenyseget-eszleltek-a-digitalis-alairasok-ellenorzesenel\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.egroup.hu\/hu\/#website","url":"https:\/\/www.egroup.hu\/hu\/","name":"E-Group","description":"E-Group ICT Software","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.egroup.hu\/hu\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"hu"},{"@type":"Person","@id":"https:\/\/www.egroup.hu\/hu\/#\/schema\/person\/85ccdf98d12c0f540419cdfc0ce99ecf","name":"Attila Galambos","image":{"@type":"ImageObject","inLanguage":"hu","@id":"https:\/\/www.egroup.hu\/hu\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/38dddd69b34866fefb46c0d03ae72b8f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/38dddd69b34866fefb46c0d03ae72b8f?s=96&d=mm&r=g","caption":"Attila Galambos"},"url":"https:\/\/www.egroup.hu\/hu\/author\/attila_galambos\/"}]}},"_links":{"self":[{"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/posts\/29097"}],"collection":[{"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/comments?post=29097"}],"version-history":[{"count":8,"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/posts\/29097\/revisions"}],"predecessor-version":[{"id":29109,"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/posts\/29097\/revisions\/29109"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/media\/29092"}],"wp:attachment":[{"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/media?parent=29097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/categories?post=29097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.egroup.hu\/hu\/wp-json\/wp\/v2\/tags?post=29097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}