製品・ソフトウェアに関する情報

JVN脆弱性詳細

cURL および libcurl のデフォルト設定における重要な情報を取得される脆弱性

Title	cURL および libcurl のデフォルト設定における重要な情報を取得される脆弱性
Summary	cURL および libcurl のデフォルト設定は、プロキシおよび宛先サーバの両方にカスタム HTTP ヘッダを送信するため、重要な情報を取得される脆弱性が存在します。
Possible impacts	リモートのプロキシサーバにより、ヘッダコンテンツを読まれることで、重要な情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 29, 2015, midnight
Registration Date	May 7, 2015, 4:59 p.m.
Last Update	Jan. 28, 2016, 3:44 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:N

Affected System

オラクル

MySQL Enterprise Monitor 2.3.20 およびそれ以前

MySQL Enterprise Monitor 3.0.22 およびそれ以前

MySQL Enterprise Monitor 2.3.20 およびそれ以前

MySQL Enterprise Monitor 3.0.22 およびそれ以前

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.3.0

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.3.0

アップル

Apple Mac OS X 10.10 から 10.10.4

Canonical

Ubuntu (vivid)

Ubuntu 12.04 LTS

Ubuntu 14.04 LTS

Ubuntu 14.10

Ubuntu (vivid)

Ubuntu 12.04 LTS

Ubuntu 14.04 LTS

Ubuntu 14.10

Haxx

cURL 7.42.1 未満

libcurl 7.42.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-3153	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3153
2	CVE-2015-3153	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3153
National Vulnerability Database (NVD)
3	CVE-2015-3153	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3153
4	CVE-2015-3153	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3153

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
2	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Apple Mailing Lists
1	APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
2	APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Apple Security Updates
3	HT205031	https://support.apple.com/en-us/HT205031
4	HT205031	https://support.apple.com/en-us/HT205031
Apple セキュリティアップデート
5	HT205031	https://support.apple.com/ja-jp/HT205031
6	HT205031	https://support.apple.com/ja-jp/HT205031
Oracle Critical Patch Update
7	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
8	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
9	Oracle Critical Patch Update Advisory - October 2015	http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
10	Oracle Critical Patch Update Advisory - October 2015	http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
11	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
12	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
13	Text Form of Oracle Critical Patch Update - October 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuoct2015verbose-2367954.html
14	Text Form of Oracle Critical Patch Update - October 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuoct2015verbose-2367954.html
Security Advisory
15	sensitive HTTP server headers also sent to proxies	http://curl.haxx.se/docs/adv_20150429.html
16	sensitive HTTP server headers also sent to proxies	http://curl.haxx.se/docs/adv_20150429.html
SECURITY BLOG
17	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
18	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
19	October 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2015_critical_patch_update
20	October 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2015_critical_patch_update
Ubuntu Security Notice
21	USN-2591-1	http://www.ubuntu.com/usn/USN-2591-1/
22	USN-2591-1	http://www.ubuntu.com/usn/USN-2591-1/

Change Log

No	Changed Details	Date of change
0	[2015年05月07日] 掲載 [2015年08月31日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：アップル (APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006) を追加ベンダ情報：アップル (HT205031) を追加 [2015年11月06日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2015 Risk Matrices) を追加ベンダ情報：オラクル (October 2015 Critical Patch Update Released) を追加 [2016年01月28日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.
0	[2015年05月07日] 掲載 [2015年08月31日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：アップル (APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006) を追加ベンダ情報：アップル (HT205031) を追加 [2015年11月06日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2015 Risk Matrices) を追加ベンダ情報：オラクル (October 2015 Critical Patch Update Released) を追加 [2016年01月28日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-3153

Summary	The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
Publication Date	May 2, 2015, 12:59 a.m.
Registration Date	Jan. 26, 2021, 2:49 p.m.
Last Update	Nov. 21, 2024, 11:28 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.1:::::::*
cpe:2.3:a:oracle:enterprise_manager_ops_center::::::::		12.1.3
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.0:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:haxx:libcurl::::::::		7.42.0
cpe:2.3:a:haxx:curl::::::::		7.42.0

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:15.1:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:apple:mac_os_x:10.10.4:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://curl.haxx.se/docs/adv_20150429.html	Vendor Advisory
2	http://curl.haxx.se/docs/adv_20150429.html	Vendor Advisory
3	http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
4	http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
5	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html	Mailing List Third Party Advisory
6	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html	Mailing List Third Party Advisory
7	http://lists.opensuse.org/opensuse-updates/2015-05/msg00017.html
8	http://lists.opensuse.org/opensuse-updates/2015-05/msg00017.html
9	http://www.debian.org/security/2015/dsa-3240	Third Party Advisory
10	http://www.debian.org/security/2015/dsa-3240	Third Party Advisory
11	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
12	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
13	http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
14	http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
15	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html	Patch Third Party Advisory
16	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html	Patch Third Party Advisory
17	http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html	Patch Third Party Advisory
18	http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html	Patch Third Party Advisory
19	http://www.securityfocus.com/bid/74408
20	http://www.securityfocus.com/bid/74408
21	http://www.securitytracker.com/id/1032233	Third Party Advisory VDB Entry
22	http://www.securitytracker.com/id/1032233	Third Party Advisory VDB Entry
23	http://www.ubuntu.com/usn/USN-2591-1	Third Party Advisory
24	http://www.ubuntu.com/usn/USN-2591-1	Third Party Advisory
25	https://kc.mcafee.com/corporate/index?page=content&id=SB10131
26	https://kc.mcafee.com/corporate/index?page=content&id=SB10131
27	https://support.apple.com/kb/HT205031	Third Party Advisory
28	https://support.apple.com/kb/HT205031	Third Party Advisory

Common Vulnerabilities List