Heartbleed : OpenSSL Heartbeat Extension Vulnerability

From TBwiki
Jump to: navigation, search


On April 7 2014, a vulnerability named "Heartbleed" in the OpenSSL cryptography library was publicly announced. Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. OpenSSL is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from "heartbeat". The vulnerability is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed.

Contents

Affected Products

None

Details

This vulnerability has no impact on TelcoBridges products or Toolpack developer customer using CentOS 5.x, which use an older version of OpenSSL. The vulnerabilities appeared only starting from OpenSSL 1.0.1 with the support for TLS/DTLS heartbeat extension (RFC6520).

Software Versions and Fixes

Not vulnerable

Update procedure

Not applicable

Personal tools