Article ID: 16130
Products
The issue affects products which use OpenSSL 1.0.1 (March 2012) through 1.0.1f for SSL/HTTPS support.
OpenSSL 1.0.1g, released April 7 2014, resolves the vulnerability.
Affected:
- Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
- Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
- 64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
- 64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
- 64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0
Discussion
Vulnerability notification
CVE-2014-0160 was released on April 7 2014.
Its Overview states:
code:The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
The high visibility and potentially high impact of this issue has spawned many follow-up reports which are visible in a web search for "
" or "
".
Patches have been developed to address this vulnerability across all affected products, and these will be included in subsequent GA releases. Patch availability is discussed in
16131, which addresses this issue being tracked as US-CERT Vulnerability Advisory VU#720951.
Note that later variations on the Heartbleed exploit, such as Heartbleed Cupid, ultimately rely on the same vulnerability. That is, products vulnerable to Heartbleed are also vulnerable to the Heartbleed variations, but may be treated as explained in this article; and products not vulnerable to Heartbleed are also not vulnerable to the Heartbleed variations.
