CVE-2014-0160

high

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

References

http://advisories.mageia.org/MGASA-2014-0165.html

http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f379b0c154650d6c108e9a3

http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html

http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html

http://marc.info/?l=bugtraq&m=139722163017074&w=2

http://marc.info/?l=bugtraq&m=139757726426985&w=2

http://marc.info/?l=bugtraq&m=139757819327350&w=2

http://marc.info/?l=bugtraq&m=139757919027752&w=2

http://marc.info/?l=bugtraq&m=139758572430452&w=2

http://marc.info/?l=bugtraq&m=139765756720506&w=2

http://marc.info/?l=bugtraq&m=139774054614965&w=2

http://marc.info/?l=bugtraq&m=139774703817488&w=2

http://marc.info/?l=bugtraq&m=139808058921905&w=2

http://marc.info/?l=bugtraq&m=139817685517037&w=2

http://marc.info/?l=bugtraq&m=139817727317190&w=2

http://marc.info/?l=bugtraq&m=139817782017443&w=2

http://marc.info/?l=bugtraq&m=139824923705461&w=2

http://marc.info/?l=bugtraq&m=139824993005633&w=2

http://marc.info/?l=bugtraq&m=139833395230364&w=2

http://marc.info/?l=bugtraq&m=139835815211508&w=2

http://marc.info/?l=bugtraq&m=139835844111589&w=2

http://marc.info/?l=bugtraq&m=139836085512508&w=2

http://marc.info/?l=bugtraq&m=139842151128341&w=2

http://marc.info/?l=bugtraq&m=139843768401936&w=2

http://marc.info/?l=bugtraq&m=139869720529462&w=2

http://marc.info/?l=bugtraq&m=139869891830365&w=2

http://marc.info/?l=bugtraq&m=139889113431619&w=2

http://marc.info/?l=bugtraq&m=139889295732144&w=2

http://marc.info/?l=bugtraq&m=139905202427693&w=2

http://marc.info/?l=bugtraq&m=139905243827825&w=2

http://marc.info/?l=bugtraq&m=139905295427946&w=2

http://marc.info/?l=bugtraq&m=139905351928096&w=2

http://marc.info/?l=bugtraq&m=139905405728262&w=2

http://marc.info/?l=bugtraq&m=139905458328378&w=2

http://marc.info/?l=bugtraq&m=139905653828999&w=2

http://marc.info/?l=bugtraq&m=139905868529690&w=2

http://marc.info/?l=bugtraq&m=140015787404650&w=2

http://marc.info/?l=bugtraq&m=140075368411126&w=2

http://marc.info/?l=bugtraq&m=140724451518351&w=2

http://marc.info/?l=bugtraq&m=140752315422991&w=2

http://marc.info/?l=bugtraq&m=141287864628122&w=2

http://marc.info/?l=bugtraq&m=142660345230545&w=2

http://rhn.redhat.com/errata/RHSA-2014-0376.html

http://rhn.redhat.com/errata/RHSA-2014-0377.html

http://rhn.redhat.com/errata/RHSA-2014-0378.html

http://rhn.redhat.com/errata/RHSA-2014-0396.html

https://bugzilla.redhat.com/show_bug.cgi?id=1084875

https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf

https://code.google.com/p/mod-spdy/issues/detail?id=85

http://seclists.org/fulldisclosure/2014/Apr/109

http://seclists.org/fulldisclosure/2014/Apr/173

http://seclists.org/fulldisclosure/2014/Apr/190

http://seclists.org/fulldisclosure/2014/Apr/90

http://seclists.org/fulldisclosure/2014/Apr/91

http://seclists.org/fulldisclosure/2014/Dec/23

http://secunia.com/advisories/57347

http://secunia.com/advisories/57483

http://secunia.com/advisories/57721

http://secunia.com/advisories/57836

http://secunia.com/advisories/57966

http://secunia.com/advisories/57968

http://secunia.com/advisories/59139

http://secunia.com/advisories/59243

http://secunia.com/advisories/59347

https://gist.github.com/chapmajs/10473815

https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E

https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html

https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217

http://support.citrix.com/article/CTX140605

https://yunus-shn.medium.com/ricon-industrial-cellular-router-heartbleed-attack-2634221c02bd

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

http://www-01.ibm.com/support/docview.wss?uid=isg400001841

http://www-01.ibm.com/support/docview.wss?uid=isg400001843

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661

http://www.debian.org/security/2014/dsa-2896

http://www.exploit-db.com/exploits/32745

http://www.exploit-db.com/exploits/32764

http://www.kb.cert.org/vuls/id/720951

http://www.mandriva.com/security/advisories?name=MDVSA-2015:062

http://www.openssl.org/news/secadv_20140407.txt

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

http://www.securitytracker.com/id/1030026

http://www.securitytracker.com/id/1030074

http://www.securitytracker.com/id/1030077

http://www.securitytracker.com/id/1030078

http://www.securitytracker.com/id/1030079

http://www.securitytracker.com/id/1030080

http://www.securitytracker.com/id/1030081

http://www.securitytracker.com/id/1030082

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00

http://www.ubuntu.com/usn/USN-2165-1

http://www.us-cert.gov/ncas/alerts/TA14-098A

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Details

Source: Mitre, NVD

Published: 2014-04-07

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High