Software Development jobs in SF Bay area

Loading...

Wednesday, April 9, 2014

Heartbleed Bug (vulnerable OpenSSL) CVE-2014-0160

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected by the SSL encryption used to secure the Internet. SSL provides security and privacy for applications such as web, email, instant messaging (IM) and virtual private networks (VPNs).


The Heartbleed bug allows anyone on the Internet to read the user names and passwords, instant messages, emails and business critical documents and communication protected by the vulnerable versions of the OpenSSL software. It compromises the secret keys used to identify the service providers and to encrypt the traffic. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. 

Operating system distributions that have shipped with the vulnerable OpenSSL version:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) 
OpenBSD 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:
Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

This was published as a follow-up to the OpenSSL advisory on 7th of April 2014. 

The OpenSSL project has made a statement at
https://www.openssl.org/news/secadv_20140407.txt.

NCSC-FI published an advisory at
https://www.cert.fi/en/reports/2014/vulnerability788210.html. 

Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may issue their own advisories.

References:
CVE-2014-0160
NCSC-FI case# 788210
http://www.openssl.org/news/secadv_20140407.txt 
(published 7th of April 2014, ~17:30 UTC)
http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities 
(published 7th of April 2014, ~18:00 UTC)
http://heartbleed.com
(published 7th of April 2014, ~19:00 UTC)
http://www.ubuntu.com/usn/usn-2165-1/
http://www.freshports.org/security/openssl/
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
https://rhn.redhat.com/errata/RHSA-2014-0376.html
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
http://www.kb.cert.org/vuls/id/720951
https://www.cert.fi/en/reports/2014/vulnerability788210.html
https://www.cert.at/warnings/all/20140408.html
http://www.circl.lu/pub/tr-21/

Test your server for HeartBleed bug here:
https://heartbleed.hostgator.com/