CVE-2014-0160high
Description
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
References
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
https://bugzilla.redhat.com/show_bug.cgi?id=1084875
http://www.openssl.org/news/secadv_20140407.txt
http://www.securitytracker.com/id/1030078
http://seclists.org/fulldisclosure/2014/Apr/109
http://seclists.org/fulldisclosure/2014/Apr/190
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html
http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
http://rhn.redhat.com/errata/RHSA-2014-0376.html
http://rhn.redhat.com/errata/RHSA-2014-0396.html
http://www.securitytracker.com/id/1030082
http://secunia.com/advisories/57347
http://marc.info/?l=bugtraq&m=139722163017074&w=2
http://www.securitytracker.com/id/1030077
http://www-01.ibm.com/support/docview.wss?uid=swg21670161
http://www.debian.org/security/2014/dsa-2896
http://rhn.redhat.com/errata/RHSA-2014-0377.html
http://www.securitytracker.com/id/1030080
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html
http://www.securitytracker.com/id/1030074
http://seclists.org/fulldisclosure/2014/Apr/90
http://www.securitytracker.com/id/1030081
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
http://rhn.redhat.com/errata/RHSA-2014-0378.html
http://seclists.org/fulldisclosure/2014/Apr/91
http://secunia.com/advisories/57483
http://www.splunk.com/view/SP-CAAAMB3
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html
http://www.securitytracker.com/id/1030079
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html
http://secunia.com/advisories/57721
http://www.blackberry.com/btsc/KB35882
http://www.securitytracker.com/id/1030026
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html
http://www.securityfocus.com/bid/66690
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
http://www.us-cert.gov/ncas/alerts/TA14-098A
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
http://secunia.com/advisories/57966
http://www.f-secure.com/en/web/labs_global/fsc-2014-1
http://seclists.org/fulldisclosure/2014/Apr/173
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
http://secunia.com/advisories/57968
https://code.google.com/p/mod-spdy/issues/detail?id=85
http://www.exploit-db.com/exploits/32745
http://www.kb.cert.org/vuls/id/720951
https://www.cert.fi/en/reports/2014/vulnerability788210.html
http://www.exploit-db.com/exploits/32764
http://secunia.com/advisories/57836
https://gist.github.com/chapmajs/10473815
http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/
http://cogentdatahub.com/ReleaseNotes.html
http://marc.info/?l=bugtraq&m=139905458328378&w=2
http://marc.info/?l=bugtraq&m=139869891830365&w=2
http://marc.info/?l=bugtraq&m=139889113431619&w=2
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1
http://www.kerio.com/support/kerio-control/release-history
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3
http://advisories.mageia.org/MGASA-2014-0165.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www-01.ibm.com/support/docview.wss?uid=isg400001843
https://filezilla-project.org/versions.php?type=server
http://www-01.ibm.com/support/docview.wss?uid=isg400001841
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217
http://marc.info/?l=bugtraq&m=141287864628122&w=2
http://seclists.org/fulldisclosure/2014/Dec/23
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
http://marc.info/?l=bugtraq&m=142660345230545&w=2
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062
http://marc.info/?l=bugtraq&m=139817727317190&w=2
http://marc.info/?l=bugtraq&m=139757726426985&w=2
http://marc.info/?l=bugtraq&m=139758572430452&w=2
http://marc.info/?l=bugtraq&m=139905653828999&w=2
http://marc.info/?l=bugtraq&m=139842151128341&w=2
http://marc.info/?l=bugtraq&m=139905405728262&w=2
http://marc.info/?l=bugtraq&m=139833395230364&w=2
http://marc.info/?l=bugtraq&m=139824993005633&w=2
http://marc.info/?l=bugtraq&m=139843768401936&w=2
http://marc.info/?l=bugtraq&m=139905202427693&w=2
http://marc.info/?l=bugtraq&m=139774054614965&w=2
http://marc.info/?l=bugtraq&m=139889295732144&w=2
http://marc.info/?l=bugtraq&m=139835815211508&w=2
http://marc.info/?l=bugtraq&m=140724451518351&w=2
http://marc.info/?l=bugtraq&m=139808058921905&w=2
http://marc.info/?l=bugtraq&m=139836085512508&w=2
http://marc.info/?l=bugtraq&m=139869720529462&w=2
http://marc.info/?l=bugtraq&m=139905868529690&w=2
http://marc.info/?l=bugtraq&m=139765756720506&w=2
http://marc.info/?l=bugtraq&m=140015787404650&w=2
http://marc.info/?l=bugtraq&m=139824923705461&w=2
http://marc.info/?l=bugtraq&m=139757919027752&w=2
http://marc.info/?l=bugtraq&m=139774703817488&w=2
http://marc.info/?l=bugtraq&m=139905243827825&w=2
http://marc.info/?l=bugtraq&m=140075368411126&w=2
http://marc.info/?l=bugtraq&m=139905295427946&w=2
http://marc.info/?l=bugtraq&m=139835844111589&w=2
http://marc.info/?l=bugtraq&m=139757819327350&w=2
http://marc.info/?l=bugtraq&m=139817685517037&w=2
http://marc.info/?l=bugtraq&m=139905351928096&w=2
http://marc.info/?l=bugtraq&m=139817782017443&w=2
http://marc.info/?l=bugtraq&m=140752315422991&w=2
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661
http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
http://secunia.com/advisories/59347
http://secunia.com/advisories/59243
http://secunia.com/advisories/59139
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
http://support.citrix.com/article/CTX140605
http://www.ubuntu.com/usn/USN-2165-1
http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://yunus-shn.medium.com/ricon-industrial-cellular-router-heartbleed-attack-2634221c02bd
Details
Source: MITRE
Published: 2014-04-07
Updated: 2022-11-15
Type: CWE-119
Risk Information
CVSS v2
Base Score: 5
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Impact Score: 2.9
Exploitability Score: 10
Severity: MEDIUM
CVSS v3
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 3.9
Severity: HIGH