CVE-2014-0160

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3	Patch Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1084875	Issue Tracking Third Party Advisory
http://www.openssl.org/news/secadv_20140407.txt	Vendor Advisory
http://heartbleed.com/	Third Party Advisory
http://www.securitytracker.com/id/1030078	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2014/Apr/109	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2014/Apr/190	Mailing List Third Party Advisory
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0376.html	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0396.html	Third Party Advisory
http://www.securitytracker.com/id/1030082	Third Party Advisory VDB Entry
http://secunia.com/advisories/57347	Third Party Advisory
http://marc.info/?l=bugtraq&m=139722163017074&w=2	Third Party Advisory
http://www.securitytracker.com/id/1030077	Third Party Advisory VDB Entry
http://www-01.ibm.com/support/docview.wss?uid=swg21670161	Broken Link
http://www.debian.org/security/2014/dsa-2896	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0377.html	Third Party Advisory
http://www.securitytracker.com/id/1030080	Third Party Advisory VDB Entry
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html	Third Party Advisory
http://www.securitytracker.com/id/1030074	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2014/Apr/90	Mailing List Third Party Advisory
http://www.securitytracker.com/id/1030081	Third Party Advisory VDB Entry
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0378.html	Third Party Advisory
http://seclists.org/fulldisclosure/2014/Apr/91	Mailing List Third Party Advisory
http://secunia.com/advisories/57483	Third Party Advisory
http://www.splunk.com/view/SP-CAAAMB3	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html	Third Party Advisory
http://www.securitytracker.com/id/1030079	Third Party Advisory VDB Entry
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html	Mailing List Third Party Advisory
http://secunia.com/advisories/57721	Third Party Advisory
http://www.blackberry.com/btsc/KB35882	Broken Link
http://www.securitytracker.com/id/1030026	Third Party Advisory VDB Entry
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/66690	Third Party Advisory VDB Entry
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/	Third Party Advisory
http://www.us-cert.gov/ncas/alerts/TA14-098A	Third Party Advisory US Government Resource
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/	Third Party Advisory
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/	Third Party Advisory
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160	Third Party Advisory
http://secunia.com/advisories/57966	Third Party Advisory
http://www.f-secure.com/en/web/labs_global/fsc-2014-1	Third Party Advisory
http://seclists.org/fulldisclosure/2014/Apr/173	Mailing List Third Party Advisory
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/	Third Party Advisory
http://secunia.com/advisories/57968	Third Party Advisory
https://code.google.com/p/mod-spdy/issues/detail?id=85	Third Party Advisory
http://www.exploit-db.com/exploits/32745	Exploit Third Party Advisory VDB Entry
http://www.kb.cert.org/vuls/id/720951	Third Party Advisory US Government Resource
https://www.cert.fi/en/reports/2014/vulnerability788210.html	Third Party Advisory
http://www.exploit-db.com/exploits/32764	Exploit Third Party Advisory VDB Entry
http://secunia.com/advisories/57836	Third Party Advisory
https://gist.github.com/chapmajs/10473815	Third Party Advisory
http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/	Third Party Advisory
http://cogentdatahub.com/ReleaseNotes.html	Release Notes Third Party Advisory
http://marc.info/?l=bugtraq&m=139905458328378&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139869891830365&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139889113431619&w=2	Third Party Advisory
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1	Third Party Advisory Third Party Advisory
http://www.kerio.com/support/kerio-control/release-history	Third Party Advisory
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3	Third Party Advisory
http://advisories.mageia.org/MGASA-2014-0165.html	Third Party Advisory
https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken	Broken Link
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg400001843	Third Party Advisory
https://filezilla-project.org/versions.php?type=server	Release Notes Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg400001841	Third Party Advisory
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217	Third Party Advisory
http://marc.info/?l=bugtraq&m=141287864628122&w=2	Third Party Advisory
http://seclists.org/fulldisclosure/2014/Dec/23	Mailing List Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2014-0012.html	Not Applicable
http://marc.info/?l=bugtraq&m=142660345230545&w=2	Third Party Advisory
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0	Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062	Third Party Advisory
http://marc.info/?l=bugtraq&m=139817727317190&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139757726426985&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139758572430452&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905653828999&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139842151128341&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905405728262&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139833395230364&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139824993005633&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139843768401936&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905202427693&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139774054614965&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139889295732144&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139835815211508&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=140724451518351&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139808058921905&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139836085512508&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139869720529462&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905868529690&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139765756720506&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=140015787404650&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139824923705461&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139757919027752&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139774703817488&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905243827825&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=140075368411126&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905295427946&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139835844111589&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139757819327350&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139817685517037&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905351928096&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139817782017443&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=140752315422991&w=2	Third Party Advisory
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661	Third Party Advisory
http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf	Not Applicable
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf	Third Party Advisory
http://secunia.com/advisories/59347	Third Party Advisory
http://secunia.com/advisories/59243	Third Party Advisory
http://secunia.com/advisories/59139	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html	Mailing List Third Party Advisory
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01	Broken Link
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html	Third Party Advisory
http://support.citrix.com/article/CTX140605	Third Party Advisory
http://www.ubuntu.com/usn/USN-2165-1	Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html	Mailing List Third Party Advisory
http://www.securityfocus.com/archive/1/534161/100/0/threaded	Not Applicable
https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008	Third Party Advisory
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E	Mailing List Patch Third Party Advisory
https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E	Mailing List Patch Third Party Advisory
https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html	Exploit Third Party Advisory
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E	Mailing List Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf	Third Party Advisory
https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E	Mailing List Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:filezilla-project:filezilla_server:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:siemens:application_processing_engine_firmware:2.0:*:*:*:*:*:*:*

cpe:2.3:h:siemens:application_processing_engine:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:siemens:cp_1543-1_firmware:1.1:*:*:*:*:*:*:*

cpe:2.3:h:siemens:cp_1543-1:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:siemens:simatic_s7-1500_firmware:1.5:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_s7-1500:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:siemens:simatic_s7-1500t_firmware:1.5:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_s7-1500t:-:*:*:*:*:*:*:*

Configuration 7 (hide)

OR	cpe:2.3:a:siemens:elan-8.2::::::::
	cpe:2.3:a:siemens:wincc_open_architecture:3.12:::::::*

Configuration 8 (hide)

AND

OR	cpe:2.3:o:intellian:v100_firmware:1.20:::::::*
	cpe:2.3:o:intellian:v100_firmware:1.21:::::::*
	cpe:2.3:o:intellian:v100_firmware:1.24:::::::*

cpe:2.3:h:intellian:v100:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

OR	cpe:2.3:o:intellian:v60_firmware:1.15:::::::*
	cpe:2.3:o:intellian:v60_firmware:1.25:::::::*

cpe:2.3:h:intellian:v60:-:*:*:*:*:*:*:*

Configuration 10 (hide)

OR	cpe:2.3:a:mitel:micollab:6.0:::::::*
	cpe:2.3:a:mitel:micollab:7.0:::::::*
	cpe:2.3:a:mitel:micollab:7.1:::::::*
	cpe:2.3:a:mitel:micollab:7.2:::::::*
	cpe:2.3:a:mitel:micollab:7.3:::::::*
	cpe:2.3:a:mitel:micollab:7.3.0.104:::::::*
	cpe:2.3:a:mitel:mivoice:1.1.2.5:::::lync::
	cpe:2.3:a:mitel:mivoice:1.1.3.3:::::skype_for_business::
	cpe:2.3:a:mitel:mivoice:1.2.0.11:::::skype_for_business::
	cpe:2.3:a:mitel:mivoice:1.3.2.2:::::skype_for_business::
	cpe:2.3:a:mitel:mivoice:1.4.0.102:::::skype_for_business::

Configuration 11 (hide)

OR	cpe:2.3:o:opensuse:opensuse:12.3:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*

Configuration 12 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:13.10:::::::*

Configuration 13 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:19:::::::*
	cpe:2.3:o:fedoraproject:fedora:20:::::::*

Configuration 14 (hide)

OR	cpe:2.3:a:redhat:gluster_storage:2.1:::::::*
	cpe:2.3:a:redhat:storage:2.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_eus:6.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
	cpe:2.3:a:redhat:virtualization:6.0:::::::*

Configuration 15 (hide)

OR	cpe:2.3:o:debian:debian_linux:6.0:::::::*
	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*

Information

Published : 2014-04-07 22:55

Updated : 2020-07-28 17:11

NVD link : CVE-2014-0160

Mitre link : CVE-2014-0160

JSON object : View

Products Affected

redhat

enterprise_linux_server
storage
enterprise_linux_desktop
enterprise_linux_workstation
enterprise_linux_server_aus
enterprise_linux_server_tus
enterprise_linux_server_eus
virtualization
gluster_storage

openssl

openssl

debian

debian_linux

siemens

cp_1543-1
wincc_open_architecture
elan-8.2
simatic_s7-1500
simatic_s7-1500_firmware
application_processing_engine_firmware
application_processing_engine
simatic_s7-1500t
cp_1543-1_firmware
simatic_s7-1500t_firmware

intellian

v100_firmware
v60_firmware
v60
v100

canonical

ubuntu_linux

opensuse

opensuse

mitel

mivoice
micollab

fedoraproject

fedora

filezilla-project

filezilla_server

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

7.5^/10

5.0^/10