Vulnerability Name:

CVE-2014-0160

Assigned:2013-12-03
Published:2014-04-07
Updated:2017-11-14
Summary:The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.1 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (REDHAT CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-119
CWE-130
CWE-119
CWE-201
References:Source: CONFIRM
Type: UNKNOWN
http://advisories.mageia.org/MGASA-2014-0165.html

Source: MISC
Type: UNKNOWN
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

Source: CONFIRM
Type: UNKNOWN
http://cogentdatahub.com/ReleaseNotes.html

Source: CONFIRM
Type: UNKNOWN
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01

Source: CONFIRM
Type: VENDOR_ADVISORY
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3

Source: MISC
Type: UNKNOWN
http://heartbleed.com/

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-4879

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-4910

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-9308

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:0492

Source: SUSE
Type: UNKNOWN
SUSE-SA:2014:002

Source: HP
Type: UNKNOWN
HPSBMU02995

Source: HP
Type: UNKNOWN
HPSBMU02994

Source: HP
Type: UNKNOWN
HPSBMU02998

Source: HP
Type: UNKNOWN
HPSBMU02997

Source: HP
Type: UNKNOWN
HPSBST03001

Source: HP
Type: UNKNOWN
HPSBMU02999

Source: HP
Type: UNKNOWN
HPSBGN03008

Source: HP
Type: UNKNOWN
HPSBGN03010

Source: HP
Type: UNKNOWN
HPSBMU03012

Source: HP
Type: UNKNOWN
HPSBMU03019

Source: HP
Type: UNKNOWN
HPSBMU03017

Source: HP
Type: UNKNOWN
HPSBMU03018

Source: HP
Type: UNKNOWN
HPSBST03015

Source: HP
Type: UNKNOWN
HPSBMU03013

Source: HP
Type: UNKNOWN
HPSBGN03011

Source: HP
Type: UNKNOWN
HPSBHF03021

Source: HP
Type: UNKNOWN
HPSBPI03014

Source: HP
Type: UNKNOWN
HPSBMU03020

Source: HP
Type: UNKNOWN
HPSBST03016

Source: HP
Type: UNKNOWN
HPSBMU03023

Source: HP
Type: UNKNOWN
HPSBMU03025

Source: HP
Type: UNKNOWN
HPSBMU03022

Source: HP
Type: UNKNOWN
HPSBMU03024

Source: HP
Type: UNKNOWN
HPSBPI03031

Source: HP
Type: UNKNOWN
HPSBMU03029

Source: HP
Type: UNKNOWN
HPSBMU03028

Source: HP
Type: UNKNOWN
HPSBMU03033

Source: HP
Type: UNKNOWN
HPSBMU03030

Source: HP
Type: UNKNOWN
HPSBMU03032

Source: HP
Type: UNKNOWN
HPSBMU03009

Source: HP
Type: UNKNOWN
HPSBST03004

Source: HP
Type: UNKNOWN
HPSBST03027

Source: HP
Type: UNKNOWN
HPSBMU03040

Source: HP
Type: UNKNOWN
HPSBMU03044

Source: HP
Type: UNKNOWN
HPSBMU03037

Source: HP
Type: UNKNOWN
HPSBMU03062

Source: HP
Type: UNKNOWN
HPSBHF03136

Source: HP
Type: UNKNOWN
SSRT101846

Source: CONFIRM
Type: UNKNOWN
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1

Source: CONFIRM
Type: UNKNOWN
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0376

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0377

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0378

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0396

Source: FULLDISC
Type: UNKNOWN
20140409 Re: heartbleed OpenSSL bug CVE-2014-0160

Source: FULLDISC
Type: UNKNOWN
20140411 MRI Rubies may contain statically linked, vulnerable OpenSSL

Source: FULLDISC
Type: UNKNOWN
20140412 Re: heartbleed OpenSSL bug CVE-2014-0160

Source: FULLDISC
Type: UNKNOWN
20140408 heartbleed OpenSSL bug CVE-2014-0160

Source: FULLDISC
Type: UNKNOWN
20140408 Re: heartbleed OpenSSL bug CVE-2014-0160

Source: FULLDISC
Type: UNKNOWN
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

Source: SECUNIA
Type: UNKNOWN
59139

Source: SECUNIA
Type: UNKNOWN
59243

Source: SECUNIA
Type: UNKNOWN
59347

Source: CONFIRM
Type: UNKNOWN
http://support.citrix.com/article/CTX140605

Source: CISCO
Type: UNKNOWN
20140409 OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=isg400001841

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=isg400001843

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21670161

Source: CONFIRM
Type: UNKNOWN
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf

Source: CONFIRM
Type: UNKNOWN
http://www.blackberry.com/btsc/KB35882

Source: DEBIAN
Type: UNKNOWN
DSA-2896

Source: EXPLOIT-DB
Type: UNKNOWN
32745

Source: EXPLOIT-DB
Type: UNKNOWN
32764

Source: CONFIRM
Type: UNKNOWN
http://www.f-secure.com/en/web/labs_global/fsc-2014-1

Source: CONFIRM
Type: UNKNOWN
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

Source: CONFIRM
Type: UNKNOWN
http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/

Source: CONFIRM
Type: UNKNOWN
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

Source: CONFIRM
Type: UNKNOWN
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

Source: CONFIRM
Type: UNKNOWN
http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf

Source: CERT-VN
Type: UNKNOWN
VU#720951

Source: CONFIRM
Type: UNKNOWN
http://www.kerio.com/support/kerio-control/release-history

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2015:062

Source: CONFIRM
Type: VENDOR_ADVISORY
http://www.openssl.org/news/secadv_20140407.txt

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

Source: BUGTRAQ
Type: UNKNOWN
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

Source: BID
Type: UNKNOWN
66690

Source: SECTRACK
Type: UNKNOWN
1030026

Source: SECTRACK
Type: UNKNOWN
1030074

Source: SECTRACK
Type: UNKNOWN
1030077

Source: SECTRACK
Type: UNKNOWN
1030078

Source: SECTRACK
Type: UNKNOWN
1030079

Source: SECTRACK
Type: UNKNOWN
1030080

Source: SECTRACK
Type: UNKNOWN
1030081

Source: SECTRACK
Type: UNKNOWN
1030082

Source: CONFIRM
Type: UNKNOWN
http://www.splunk.com/view/SP-CAAAMB3

Source: CONFIRM
Type: UNKNOWN
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00

Source: CERT
Type: UNKNOWN
TA14-098A

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: CONFIRM
Type: UNKNOWN
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

Source: MISC
Type: UNKNOWN
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=1084875

Source: CONFIRM
Type: UNKNOWN
https://code.google.com/p/mod-spdy/issues/detail?id=85

Source: XF
Type: UNKNOWN
openssl-cve20140160-info-disc(92322)

Source: CONFIRM
Type: UNKNOWN
https://filezilla-project.org/versions.php?type=server

Source: MISC
Type: UNKNOWN
https://gist.github.com/chapmajs/10473815

Source: HP
Type: UNKNOWN
HPSBST03000

Source: MLIST
Type: UNKNOWN
[syslog-ng-announce] 20140411 syslog-ng Premium Edition 5 LTS (5.0.4a) has been released

Source: CONFIRM
Type: UNKNOWN
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

Source: CONFIRM
Type: UNKNOWN
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217

Source: MISC
Type: UNKNOWN
https://www.cert.fi/en/reports/2014/vulnerability788210.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20140160
    V
    CVE-2014-0160
    2017-11-19
    oval:org.mitre.oval:def:29321
    P
    DSA-2896-2 -- openssl -- security update
    2015-08-17
    oval:org.mitre.oval:def:24718
    P
    RHSA-2014:0376: openssl security update (Important)
    2015-04-13
    oval:org.mitre.oval:def:24324
    P
    ELSA-2014:0376: openssl security update (Important)
    2014-07-21
    oval:org.mitre.oval:def:24606
    P
    USN-2165-1 -- openssl vulnerabilities
    2014-07-21
    oval:org.mitre.oval:def:24241
    V
    The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read
    2014-07-14
    oval:com.redhat.rhsa:def:20140376
    P
    RHSA-2014:0376: openssl security update (Important)
    2014-04-08
    oval:com.ubuntu.precise:def:20140160000
    V
    CVE-2014-0160 on Ubuntu 12.04 LTS (precise) - high.
    2014-04-07
    BACK
    openssl openssl 1.0.1
    openssl openssl 1.0.1 beta1
    openssl openssl 1.0.1 beta2
    openssl openssl 1.0.1 beta3
    openssl openssl 1.0.1a
    openssl openssl 1.0.1b
    openssl openssl 1.0.1c
    openssl openssl 1.0.1d
    openssl openssl 1.0.1e
    openssl openssl 1.0.1f
    openssl openssl 1.0.2 beta1
    redhat enterprise_linux 6