OpenSSL 1.0.1 and 1.0.2 beta contain a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."
OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2 beta through 1.0.2-beta1 contain a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of up to 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to increase the chances that a leaked chunk contains the intended secrets. The sensitive information that may be retrieved using this vulnerability include:
Please see the Heartbleed website for more details. Exploit code for this vulnerability is publicly available. Any service that supports STARTTLS (imap,smtp,http,pop) may also be affected.
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.
Apply an update
Disable OpenSSL heartbeat support
This vulnerability was reported by OpenSSL, who in turn credits Riku, Antti and Matti at Codenomicon and Neel Mehta of Google Security.
This document was written by Will Dormann.
|Date First Published:||2014-04-08|
|Date Last Updated:||2016-05-13 15:26 UTC|