OpenSSL Heartbleed Security Flaw Summary and Resources

Published Date Author: , Posted April 8th, 2014 at 7:29:26pm

Summary

TLS heartbeat read overrun (CVE-2014-0160) – A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

OpenSSL Versions Affected

The 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

  • OpenSSL 1.0.2-beta through 1.0.2-beta1 (inclusive) are vulnerable
  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

The bug has been in the wild since OpenSSL 1.0.1 released on March 14th, 2012. OpenSSL 1.0.1g released on April 7th, 2014 fixes the bug.

What Do I Do?

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Resources

No comments as yet.

Leave Your Comment  Leave a comment

All fields marked with "*" are required.