icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

OpenSSL 1.0.1 < 1.0.1g Multiple Vulnerabilities (Heartbleed)

Medium

Synopsis

The remote web server is running an instance of OpenSSL that might be affected by a denial of service vulnerability.

Description

OpenSSL versions 1.0.1 earlier than 1.0.1g contain the following vulnerabilities:

- Out-of-bounds read flaw that can be triggered through TLS heartbeat extension packets to disclose up to 64kB of memory containing sensitive information, possibly including secret keys. (CVE-2014-0160)

- Improperly implemented Elliptic Curve Digital Signature Algorithm (ECDSA) could allow nonce disclosure via the 'FLUSH+RELOAD' cache side-channel attack. (CVE-2014-0076)

Solution

Upgrade to OpenSSL version 1.0.0g or later.