Child pages
  • OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)
  • Exploit code is publicly available for this vulnerability.

Solution

OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

The SiteMaestro Agent version 3.9.5 3 addresses this issue.

Tip

Upgrade to SiteMaestro Agent v3.9.5

 

3 or later.

Related articles

 https://www.us-cert.gov/ncas/alerts/TA14-098A

Content by Label
showLabelsfalse
max5
spacesSKB
sortmodified
showSpacefalse
reversetrue
typepage
labelsssl vulerability

...