CVE-2014-0160

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

References

http://advisories.mageia.org/MGASA-2014-0165.html

http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

http://cogentdatahub.com/ReleaseNotes.html

http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3

http://heartbleed.com/

http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html

http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html

http://marc.info/?l=bugtraq&m=139722163017074&w=2

http://marc.info/?l=bugtraq&m=139757726426985&w=2

http://marc.info/?l=bugtraq&m=139757819327350&w=2

http://marc.info/?l=bugtraq&m=139757919027752&w=2

http://marc.info/?l=bugtraq&m=139758572430452&w=2

http://marc.info/?l=bugtraq&m=139765756720506&w=2

http://marc.info/?l=bugtraq&m=139774054614965&w=2

http://marc.info/?l=bugtraq&m=139774703817488&w=2

http://marc.info/?l=bugtraq&m=139808058921905&w=2

http://marc.info/?l=bugtraq&m=139817685517037&w=2

http://marc.info/?l=bugtraq&m=139817727317190&w=2

http://marc.info/?l=bugtraq&m=139817782017443&w=2

http://marc.info/?l=bugtraq&m=139824923705461&w=2

http://marc.info/?l=bugtraq&m=139824993005633&w=2

http://marc.info/?l=bugtraq&m=139833395230364&w=2

http://marc.info/?l=bugtraq&m=139835815211508&w=2

http://marc.info/?l=bugtraq&m=139835844111589&w=2

http://marc.info/?l=bugtraq&m=139836085512508&w=2

http://marc.info/?l=bugtraq&m=139842151128341&w=2

http://marc.info/?l=bugtraq&m=139843768401936&w=2

http://marc.info/?l=bugtraq&m=139869720529462&w=2

http://marc.info/?l=bugtraq&m=139869891830365&w=2

http://marc.info/?l=bugtraq&m=139889113431619&w=2

http://marc.info/?l=bugtraq&m=139889295732144&w=2

http://marc.info/?l=bugtraq&m=139905202427693&w=2

http://marc.info/?l=bugtraq&m=139905243827825&w=2

http://marc.info/?l=bugtraq&m=139905295427946&w=2

http://marc.info/?l=bugtraq&m=139905351928096&w=2

http://marc.info/?l=bugtraq&m=139905405728262&w=2

http://marc.info/?l=bugtraq&m=139905458328378&w=2

http://marc.info/?l=bugtraq&m=139905653828999&w=2

http://marc.info/?l=bugtraq&m=139905868529690&w=2

http://marc.info/?l=bugtraq&m=140015787404650&w=2

http://marc.info/?l=bugtraq&m=140075368411126&w=2

http://marc.info/?l=bugtraq&m=140724451518351&w=2

http://marc.info/?l=bugtraq&m=140752315422991&w=2

http://marc.info/?l=bugtraq&m=141287864628122&w=2

http://marc.info/?l=bugtraq&m=142660345230545&w=2

http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1

http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3

http://rhn.redhat.com/errata/RHSA-2014-0376.html

http://rhn.redhat.com/errata/RHSA-2014-0377.html

http://rhn.redhat.com/errata/RHSA-2014-0378.html

http://rhn.redhat.com/errata/RHSA-2014-0396.html

http://seclists.org/fulldisclosure/2014/Apr/109

http://seclists.org/fulldisclosure/2014/Apr/173

http://seclists.org/fulldisclosure/2014/Apr/190

http://seclists.org/fulldisclosure/2014/Apr/90

http://seclists.org/fulldisclosure/2014/Apr/91

http://seclists.org/fulldisclosure/2014/Dec/23

http://secunia.com/advisories/57347

http://secunia.com/advisories/57483

http://secunia.com/advisories/57721

http://secunia.com/advisories/57836

http://secunia.com/advisories/57966

http://secunia.com/advisories/57968

http://secunia.com/advisories/59139

http://secunia.com/advisories/59243

http://secunia.com/advisories/59347

http://support.citrix.com/article/CTX140605

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

http://www-01.ibm.com/support/docview.wss?uid=isg400001841

http://www-01.ibm.com/support/docview.wss?uid=isg400001843

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661

http://www-01.ibm.com/support/docview.wss?uid=swg21670161

http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf

http://www.blackberry.com/btsc/KB35882

http://www.debian.org/security/2014/dsa-2896

http://www.exploit-db.com/exploits/32745

http://www.exploit-db.com/exploits/32764

http://www.f-secure.com/en/web/labs_global/fsc-2014-1

http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/

http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf

http://www.kb.cert.org/vuls/id/720951

http://www.kerio.com/support/kerio-control/release-history

http://www.mandriva.com/security/advisories?name=MDVSA-2015:062

http://www.openssl.org/news/secadv_20140407.txt

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/66690

http://www.securitytracker.com/id/1030026

http://www.securitytracker.com/id/1030074

http://www.securitytracker.com/id/1030077

http://www.securitytracker.com/id/1030078

http://www.securitytracker.com/id/1030079

http://www.securitytracker.com/id/1030080

http://www.securitytracker.com/id/1030081

http://www.securitytracker.com/id/1030082

http://www.splunk.com/view/SP-CAAAMB3

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00

http://www.ubuntu.com/usn/USN-2165-1

http://www.us-cert.gov/ncas/alerts/TA14-098A

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

https://bugzilla.redhat.com/show_bug.cgi?id=1084875

https://code.google.com/p/mod-spdy/issues/detail?id=85

https://filezilla-project.org/versions.php?type=server

https://gist.github.com/chapmajs/10473815

https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html

https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217

https://www.cert.fi/en/reports/2014/vulnerability788210.html

https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008

Details

Risk Information

CVSS v2.0