製品・ソフトウェアに関する情報

JVN脆弱性詳細

ARM mbed TLS における認証に関する脆弱性

Title	ARM mbed TLS における認証に関する脆弱性
Summary	ARM mbed TLS には、認証に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 28, 2017, midnight
Registration Date	Oct. 2, 2017, 3:39 p.m.
Last Update	Oct. 2, 2017, 3:39 p.m.

Affected System

ARM Ltd.

ARM mbed TLS 1.3.21 未満

ARM mbed TLS 2.1.9 未満の 2.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-14032	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14032
National Vulnerability Database (NVD)
2	CVE-2017-14032	https://nvd.nist.gov/vuln/detail/CVE-2017-14032

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-287	https://jvndb.jvn.jp/ja/cwe/CWE-287.html

ベンダー情報

No	Name	URL
ARM mbed
1	mbed TLS Security Advisory 2017-02	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
Debian Bug report logs
2	873557	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873557
GitHub
3	Improve behaviour on fatal errors	https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc
4	Only return VERIFY_FAILED from a single point	https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32

Change Log

No	Changed Details	Date of change
0	[2017年10月02日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-14032

Summary	ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
Publication Date	Aug. 31, 2017, 5:29 a.m.
Registration Date	Jan. 26, 2021, 1:15 p.m.
Last Update	Nov. 21, 2024, 12:12 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://www.debian.org/security/2017/dsa-3967
2	http://www.debian.org/security/2017/dsa-3967
3	https://bugs.debian.org/873557	Issue Tracking Patch Third Party Advisory
4	https://bugs.debian.org/873557	Issue Tracking Patch Third Party Advisory
5	https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32	Issue Tracking Patch Third Party Advisory
6	https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32	Issue Tracking Patch Third Party Advisory
7	https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc	Issue Tracking Patch Third Party Advisory
8	https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc	Issue Tracking Patch Third Party Advisory
9	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02	Vendor Advisory
10	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02	Vendor Advisory

Common Vulnerabilities List