OpenSSL Heartbleed Security Flaw Summary and Resources
erics, Posted April 8th, 2014 at 7:29:26pm
Summary
TLS heartbeat read overrun (CVE-2014-0160) – A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
OpenSSL Versions Affected
The 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
- OpenSSL 1.0.2-beta through 1.0.2-beta1 (inclusive) are vulnerable
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
The bug has been in the wild since OpenSSL 1.0.1 released on March 14th, 2012. OpenSSL 1.0.1g released on April 7th, 2014 fixes the bug.
What Do I Do?
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
Resources
- OpenSSL Security Advisory [07 Apr 2014] – TLS heartbeat read overrun (CVE-2014-0160)
- Test your server for Heartbleed (CVE-2014-0160)
- Heartbleed OpenSSL Security Flaw Explained In Depth
Categories: How-To's, Technology Bleed, Flaw, Heart, Heartbeat, Heartbleed, howto, openssl, security, ssl, Summary, tips
Leave Your Comment
All fields marked with "*" are required.