SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1030026
SecurityTracker URL:  http://securitytracker.com/id/1030026
CVE Reference:   CVE-2014-0160   (Links to External Site)
Updated:  Apr 11 2014
Original Entry Date:  Apr 8 2014
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.1 through 1.0.1f; 1.0.2-beta
Description:   A vulnerability was reported in OpenSSL. A remote user can obtain potentially sensitive information.

A remote client or server can trigger a buffer overread in the processing of the TLS heartbeat extension to obtain up to 64k of memory (per heartbeat request), potentially including encryption keys.

The vulnerability was introduced to the source code in December 2011 and to release version 1.0.1 in March 2012.

[Editor's note: This vulnerability is known as the OpenSSL heartbleed vulnerability.]

Neel Mehta of Google Security reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive information, including encryption keys.
Solution:   The vendor has issued a fix (1.0.1g; fix pending for 1.0.2-beta2).

Encryption keys used with vulnerable versions may have been compromised and should be replaced.

The vendor's advisory is available at:

http://www.openssl.org/news/secadv_20140407.txt

Vendor URL:  www.openssl.org/news/secadv_20140407.txt (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 8 2014 (Red Hat Issues Fix) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Apr 8 2014 (Ubuntu Issues Fix) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Ubuntu has issued a fix for Ubuntu 12.04 LTS, 12.10, and 13.10.
Apr 8 2014 (Debian Issues Fix) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Debian has issued a fix.
Apr 9 2014 (FreeBSD Issues Fix) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information   (FreeBSD Security Advisories <security-advisories@freebsd.org>)
FreeBSD has issued a fix for FreeBSD 8.3, 8.4, 9.1, 9.2, and 10.0.
Apr 9 2014 (Cisco Issues Advisory for Cisco AnyConnect Secure Mobility Client for iOS) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Cisco has issued an advisory for Cisco AnyConnect Secure Mobility Client for iOS.
Apr 9 2014 (Cisco Issues Advisory for Cisco Desktop Collaboration Experience DX650) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Cisco has issued an advisory for Cisco Desktop Collaboration Experience DX650.
Apr 9 2014 (Cisco Issues Advisory for Cisco Unified IP Phones) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Cisco has issued an advisory for Cisco Unified 7900, 8900, 9900 series IP Phones.
Apr 9 2014 (Cisco Issues Advisory for Cisco TelePresence Video Communication Server) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Cisco has issued an advisory for Cisco Unified 7900, 8900, 9900 series IP Phones.
Apr 10 2014 (NetBSD Issues Fix) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information   (NetBSD Security Officer <security-officer@NetBSD.org>)
NetBSD has issued a fix for NetBSD 6.0 and 6.1.
Apr 10 2014 (OpenBSD Issues Fix) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
OpenBSD has issued a fix for OpenBSD 5.3, 5.4, and 5.5.
Apr 11 2014 (F5 Issues Advisory for F5 BIG-IP) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
F5 has issued a fix for F5 BIG-IP.
Apr 11 2014 (WatchGuard Issues Fix for WatchGuard XTM) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
WatchGuard has issued a fix for WatchGuard XTM.
Apr 11 2014 (Juniper Issues Advisory for Junos) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Juniper has issued an advisory for Junos 13.3R1.
Apr 11 2014 (Red Hat Issues Fix for Red Hat Enterprise Virtualization Hypervisor) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Virtualization Hypervisor.
Apr 11 2014 (IBM Issues Fix for AIX) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
IBM has issued an ifix for IBM AIX.
Nov 17 2014 (Siemens Issues Fix for SIMATIC WinCC) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Siemens has issued a fix for SIMATIC WinCC.
Nov 17 2014 (Siemens Issues Fix for SIMATIC S7-1500) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Siemens has issued a fix for SIMATIC S7-1500.
Nov 17 2014 (Siemens Issues Fix for SIMATIC CP1543-1) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
Siemens has issued a fix for SIMATIC CP1543-1.



 Source Message Contents

Date:  Tue, 08 Apr 2014 01:01:44 +0000
Subject:  http://www.openssl.org/news/secadv_20140407.txt


http://www.openssl.org/news/secadv_20140407.txt

TLS heartbeat read overrun (CVE-2014-0160)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC