CVE-2014-0160

high

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

References

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3

https://bugzilla.redhat.com/show_bug.cgi?id=1084875

http://www.openssl.org/news/secadv_20140407.txt

http://heartbleed.com/

http://www.securitytracker.com/id/1030078

http://seclists.org/fulldisclosure/2014/Apr/109

http://seclists.org/fulldisclosure/2014/Apr/190

https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html

http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

http://rhn.redhat.com/errata/RHSA-2014-0376.html

http://rhn.redhat.com/errata/RHSA-2014-0396.html

http://www.securitytracker.com/id/1030082

http://secunia.com/advisories/57347

http://marc.info/?l=bugtraq&m=139722163017074&w=2

http://www.securitytracker.com/id/1030077

http://www-01.ibm.com/support/docview.wss?uid=swg21670161

http://www.debian.org/security/2014/dsa-2896

http://rhn.redhat.com/errata/RHSA-2014-0377.html

http://www.securitytracker.com/id/1030080

http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html

http://www.securitytracker.com/id/1030074

http://seclists.org/fulldisclosure/2014/Apr/90

http://www.securitytracker.com/id/1030081

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

http://rhn.redhat.com/errata/RHSA-2014-0378.html

http://seclists.org/fulldisclosure/2014/Apr/91

http://secunia.com/advisories/57483

http://www.splunk.com/view/SP-CAAAMB3

http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html

http://www.securitytracker.com/id/1030079

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html

http://secunia.com/advisories/57721

http://www.blackberry.com/btsc/KB35882

http://www.securitytracker.com/id/1030026

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html

http://www.securityfocus.com/bid/66690

http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

http://www.us-cert.gov/ncas/alerts/TA14-098A

http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

http://secunia.com/advisories/57966

http://www.f-secure.com/en/web/labs_global/fsc-2014-1

http://seclists.org/fulldisclosure/2014/Apr/173

http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

http://secunia.com/advisories/57968

https://code.google.com/p/mod-spdy/issues/detail?id=85

http://www.exploit-db.com/exploits/32745

http://www.kb.cert.org/vuls/id/720951

https://www.cert.fi/en/reports/2014/vulnerability788210.html

http://www.exploit-db.com/exploits/32764

http://secunia.com/advisories/57836

https://gist.github.com/chapmajs/10473815

http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/

http://cogentdatahub.com/ReleaseNotes.html

http://marc.info/?l=bugtraq&m=139905458328378&w=2

http://marc.info/?l=bugtraq&m=139869891830365&w=2

http://marc.info/?l=bugtraq&m=139889113431619&w=2

http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1

http://www.kerio.com/support/kerio-control/release-history

http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3

http://advisories.mageia.org/MGASA-2014-0165.html

https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www-01.ibm.com/support/docview.wss?uid=isg400001843

https://filezilla-project.org/versions.php?type=server

http://www-01.ibm.com/support/docview.wss?uid=isg400001841

https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217

http://marc.info/?l=bugtraq&m=141287864628122&w=2

http://seclists.org/fulldisclosure/2014/Dec/23

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

http://marc.info/?l=bugtraq&m=142660345230545&w=2

http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

http://www.mandriva.com/security/advisories?name=MDVSA-2015:062

http://marc.info/?l=bugtraq&m=139817727317190&w=2

http://marc.info/?l=bugtraq&m=139757726426985&w=2

http://marc.info/?l=bugtraq&m=139758572430452&w=2

http://marc.info/?l=bugtraq&m=139905653828999&w=2

http://marc.info/?l=bugtraq&m=139842151128341&w=2

http://marc.info/?l=bugtraq&m=139905405728262&w=2

http://marc.info/?l=bugtraq&m=139833395230364&w=2

http://marc.info/?l=bugtraq&m=139824993005633&w=2

http://marc.info/?l=bugtraq&m=139843768401936&w=2

http://marc.info/?l=bugtraq&m=139905202427693&w=2

http://marc.info/?l=bugtraq&m=139774054614965&w=2

http://marc.info/?l=bugtraq&m=139889295732144&w=2

http://marc.info/?l=bugtraq&m=139835815211508&w=2

http://marc.info/?l=bugtraq&m=140724451518351&w=2

http://marc.info/?l=bugtraq&m=139808058921905&w=2

http://marc.info/?l=bugtraq&m=139836085512508&w=2

http://marc.info/?l=bugtraq&m=139869720529462&w=2

http://marc.info/?l=bugtraq&m=139905868529690&w=2

http://marc.info/?l=bugtraq&m=139765756720506&w=2

http://marc.info/?l=bugtraq&m=140015787404650&w=2

http://marc.info/?l=bugtraq&m=139824923705461&w=2

http://marc.info/?l=bugtraq&m=139757919027752&w=2

http://marc.info/?l=bugtraq&m=139774703817488&w=2

http://marc.info/?l=bugtraq&m=139905243827825&w=2

http://marc.info/?l=bugtraq&m=140075368411126&w=2

http://marc.info/?l=bugtraq&m=139905295427946&w=2

http://marc.info/?l=bugtraq&m=139835844111589&w=2

http://marc.info/?l=bugtraq&m=139757819327350&w=2

http://marc.info/?l=bugtraq&m=139817685517037&w=2

http://marc.info/?l=bugtraq&m=139905351928096&w=2

http://marc.info/?l=bugtraq&m=139817782017443&w=2

http://marc.info/?l=bugtraq&m=140752315422991&w=2

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661

http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf

http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf

http://secunia.com/advisories/59347

http://secunia.com/advisories/59243

http://secunia.com/advisories/59139

http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html

http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01

https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

http://support.citrix.com/article/CTX140605

http://www.ubuntu.com/usn/USN-2165-1

http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://yunus-shn.medium.com/ricon-industrial-cellular-router-heartbleed-attack-2634221c02bd

Details

Source: MITRE

Published: 2014-04-07

Updated: 2023-02-10

Type: CWE-125

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH