Heartbleed

From TBwiki
(Difference between revisions)
Jump to: navigation, search
 
Line 1: Line 1:
 
{{DISPLAYTITLE:Heartbleed : OpenSSL Heartbeat Extension Vulnerability}}
 
{{DISPLAYTITLE:Heartbleed : OpenSSL Heartbeat Extension Vulnerability}}
  
On April 7, 2014, a vulnerability named "Heartbleed" in the OpenSSL cryptography library was publicly announced. Heartbleed is registered in the Common Vulnerabilities and Exposures system as '''CVE-2014-0160'''. OpenSSL is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from "heartbeat". The vulnerability is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed.
+
On April 7 2014, a vulnerability named "Heartbleed" in the OpenSSL cryptography library was publicly announced. Heartbleed is registered in the Common Vulnerabilities and Exposures system as '''CVE-2014-0160'''. OpenSSL is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from "heartbeat". The vulnerability is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed.
  
 
= Affected Products =
 
= Affected Products =

Latest revision as of 23:57, 6 October 2014


On April 7 2014, a vulnerability named "Heartbleed" in the OpenSSL cryptography library was publicly announced. Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. OpenSSL is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from "heartbeat". The vulnerability is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed.

Contents

Affected Products

None

Details

This vulnerability has no impact on TelcoBridges products or Toolpack developer customer using CentOS 5.x, which use an older version of OpenSSL. The vulnerabilities appeared only starting from OpenSSL 1.0.1 with the support for TLS/DTLS heartbeat extension (RFC6520).

Software Versions and Fixes

Not vulnerable

Update procedure

Not applicable

Personal tools