Available Exploits 

• OpenSSL Heartbeat (Heartbleed) Information Leak
• OpenSSL Heartbeat (Heartbleed) Client Memory Exposure

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols, as well as afull-strength, general purpose cryptography library.An information disclosure flaw was found in the way OpenSSL handled TLS andDTLS Heartbeat Extension packets. A malicious TLS or DTLS client or servercould send a specially crafted TLS or DTLS Heartbeat packet to disclose alimited portion of memory per request from a connected client or server.Note that the disclosed portions of memory could potentially includesensitive information such as private keys. (CVE-2014-0160)Red Hat would like to thank the OpenSSL project for reporting this issue.Upstream acknowledges Neel Mehta of Google Security as the originalreporter.All OpenSSL users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue. For the update to takeeffect, all services linked to the OpenSSL library (such as httpd and otherSSL-enabled services) must be restarted or the system rebooted.

References

• BID-66690
• CERT-TA14-098A
• CERT-VN-720951
• CVE-2014-0160
• DEBIAN-DSA-2896
• DISA_SEVERITY-Category I
• DISA_VMSKEY-V0033046
• DISA_VMSKEY-V0043846
• IAVM-2012-A-0104
• IAVM-2014-A-0017
• REDHAT-RHSA-2014:0376
• REDHAT-RHSA-2014:0377
• REDHAT-RHSA-2014:0378
• REDHAT-RHSA-2014:0396
• SUSE-SUSE-SA:2014:002

Solution

Related Vulnerabilities

• F5 Networks: K15159 (CVE-2014-0160): OpenSSL vulnerability CVE-2014-0160
• VMware Workstation: Information Disclosure vulnerability in OpenSSL third party library (VMSA-2014-0004) (CVE-2014-0160)
• Gentoo Linux: CVE-2014-0160: AMD64 x86 emulation base libraries: Multiple vulnerabilities
• HP Systems Insight Manager - (Multiple Advisories) (CVE-2014-0160): Bundled Software running OpenSSL, Remote Disclosure of Information
• HP System Management Homepage - HPSBMU02998 (CVE-2014-0160): OpenSSL on Linux and Windows, Remote Disclosure of Information, Denial of Service (DoS)
• OpenSSL Heartbleed Vulnerability (CVE-2014-0160)
• VMware Player: Information Disclosure vulnerability in OpenSSL third party library (VMSA-2014-0004) (CVE-2014-0160)
• VMSA-2014-0004: Information Disclosure vulnerability in OpenSSL third party library (CVE-2014-0160)
• RHSA-2014:0396: rhev-hypervisor6 security update
• HP iLO: CVE-2014-0160: Denial of Service.
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 7
• RHSA-2014:0378: rhev-hypervisor6 security update
• Google Android Vulnerability: CVE-2014-0160
• USN-2165-1: OpenSSL vulnerabilities
• RHSA-2014:0416: rhevm-spice-client security update
• SUSE: CVE-2014-0160: SUSE Linux Security Advisory
• FreeBSD: OpenSSL -- Remote Information Disclosure (FreeBSD-SA-14:06.openssl) (CVE-2014-0160)
• Oracle Linux: CVE-2014-0160: ELSA-2016-3558 - openssl security update
• ELSA-2014-1652 Important: Oracle Linux openssl security update
• Cent OS: CVE-2014-0160: CESA-2014:0376 (openssl)
• ELSA-2014-0376 Important: Oracle Linux openssl security update
• Amazon Linux AMI: Security patch for openssl (ALAS-2014-320) (multiple CVEs)
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 6
• DSA-2896-1 openssl -- security update
• Juniper Junos OS: 2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL "Heartbleed" issue (JSA10623) (CVE-2014-0160)
• Oracle Solaris 11: CVE-2014-0160: Vulnerability in OpenSSL
• VMware Fusion: Information Disclosure vulnerability in OpenSSL third party library (VMSA-2014-0004) (CVE-2014-0160)