CVE-2014-0160

high

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

References

https://www.tenable.com/blog/from-bugs-to-breaches-25-significant-cves-as-mitre-cve-turns-25

https://blog.checkpoint.com/security/march-2024s-most-wanted-malware-hackers-discover-new-infection-chain-method-to-deliver-remcos/

https://www.darkreading.com/vulnerabilities-threats/prepare-critical-flaw-openssl-security-experts-warn

https://www.threatdown.com/blog/five-years-later-heartbleed-vulnerability-still-unpatched/

https://www.theregister.com/2017/01/23/heartbleed_2017/

https://cloud.google.com/blog/topics/threat-intelligence/attackers-exploit-heartbleed-openssl-vulnerability/

https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008

https://www.cert.fi/en/reports/2014/vulnerability788210.html

https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217

https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html

https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E

https://filezilla-project.org/versions.php?type=server

https://code.google.com/p/mod-spdy/issues/detail?id=85

https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf

https://bugzilla.redhat.com/show_bug.cgi?id=1084875

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

http://www.us-cert.gov/ncas/alerts/TA14-098A

http://www.ubuntu.com/usn/USN-2165-1

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00

http://www.splunk.com/view/SP-CAAAMB3

http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.kb.cert.org/vuls/id/720951

http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf

http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/

http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

http://www.debian.org/security/2014/dsa-2896

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661

http://www-01.ibm.com/support/docview.wss?uid=isg400001843

http://www-01.ibm.com/support/docview.wss?uid=isg400001841

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

http://support.citrix.com/article/CTX140605

http://seclists.org/fulldisclosure/2014/Dec/23

http://seclists.org/fulldisclosure/2014/Apr/91

http://seclists.org/fulldisclosure/2014/Apr/90

http://seclists.org/fulldisclosure/2014/Apr/190

http://seclists.org/fulldisclosure/2014/Apr/173

http://seclists.org/fulldisclosure/2014/Apr/109

http://rhn.redhat.com/errata/RHSA-2014-0396.html

http://rhn.redhat.com/errata/RHSA-2014-0378.html

http://rhn.redhat.com/errata/RHSA-2014-0377.html

http://rhn.redhat.com/errata/RHSA-2014-0376.html

http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3

http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1

http://marc.info/?l=bugtraq&m=142660345230545&w=2

http://marc.info/?l=bugtraq&m=141287864628122&w=2

http://marc.info/?l=bugtraq&m=140752315422991&w=2

http://marc.info/?l=bugtraq&m=140724451518351&w=2

http://marc.info/?l=bugtraq&m=140075368411126&w=2

http://marc.info/?l=bugtraq&m=140015787404650&w=2

http://marc.info/?l=bugtraq&m=139905868529690&w=2

http://marc.info/?l=bugtraq&m=139905653828999&w=2

http://marc.info/?l=bugtraq&m=139905458328378&w=2

http://marc.info/?l=bugtraq&m=139905405728262&w=2

http://marc.info/?l=bugtraq&m=139905351928096&w=2

http://marc.info/?l=bugtraq&m=139905295427946&w=2

http://marc.info/?l=bugtraq&m=139905243827825&w=2

http://marc.info/?l=bugtraq&m=139905202427693&w=2

http://marc.info/?l=bugtraq&m=139889295732144&w=2

http://marc.info/?l=bugtraq&m=139889113431619&w=2

http://marc.info/?l=bugtraq&m=139869891830365&w=2

http://marc.info/?l=bugtraq&m=139869720529462&w=2

http://marc.info/?l=bugtraq&m=139843768401936&w=2

http://marc.info/?l=bugtraq&m=139842151128341&w=2

http://marc.info/?l=bugtraq&m=139836085512508&w=2

http://marc.info/?l=bugtraq&m=139835844111589&w=2

http://marc.info/?l=bugtraq&m=139835815211508&w=2

http://marc.info/?l=bugtraq&m=139833395230364&w=2

http://marc.info/?l=bugtraq&m=139824993005633&w=2

http://marc.info/?l=bugtraq&m=139824923705461&w=2

http://marc.info/?l=bugtraq&m=139817782017443&w=2

http://marc.info/?l=bugtraq&m=139817727317190&w=2

http://marc.info/?l=bugtraq&m=139817685517037&w=2

http://marc.info/?l=bugtraq&m=139808058921905&w=2

http://marc.info/?l=bugtraq&m=139774703817488&w=2

http://marc.info/?l=bugtraq&m=139774054614965&w=2

http://marc.info/?l=bugtraq&m=139765756720506&w=2

http://marc.info/?l=bugtraq&m=139758572430452&w=2

http://marc.info/?l=bugtraq&m=139757919027752&w=2

http://marc.info/?l=bugtraq&m=139757819327350&w=2

http://marc.info/?l=bugtraq&m=139757726426985&w=2

http://marc.info/?l=bugtraq&m=139722163017074&w=2

http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html

http://heartbleed.com/

http://cogentdatahub.com/ReleaseNotes.html

http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

http://advisories.mageia.org/MGASA-2014-0165.html

Details

Source: Mitre, NVD

Published: 2014-04-07

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High